Bugtraq mailing list archives
Re: How the password could be recover using FTP Explorer's registry!
From: rishi () UDEL EDU (Rishi Lee Khan)
Date: Mon, 28 Feb 2000 01:30:19 -0500
I've notice the similar behavior, and in fact, I've used it to decyrpt
passwords I've forgotten. However, I DO think that it is a security hole
that when you uninstall this software, it does NOT delete the registry
entries. Therefore, if one installs FTP Explorer on a machine that
previously had it installed, all of the old passwords and accounts are
still there. So you can log into someone else's stuff. This is especially
a concern here at the University of Delaware as many people install and
remove shareware from public computing sites.
-Rishi
On Fri, 25 Feb 2000, Seth R Arnold wrote:
Nelson, excuse my asking, but .. is this not the expected behavior? Any client that stores login/password information must store it in a plain-text equivalent form on the hard drive, *unless it prompts the user for a key with which to unlock the information*. Unless it uses a key supplied by the user, it must be based on something similar to this. If FTP Explorer is actually a server, then this is insecure -- servers should store hashes of passwords, not passwords. If FTP Explorer is an ftp client, one would hope it documents the storing of passwords; to my way of thinking, not prompting for passwords the next time a site is used is documentation enough for anyone that cares about their security. Anyone for whom this isn't enough likely doesn't care about their security. If you are worried about other people on your machine getting at the password through the registry, then I would hope the security settings on the registry are setup to disallow access -- but that would be WinNT only. Don't get me wrong -- this is good detective work. However, to my way of thinking, this is also expected behavior. Flames welcome. Autoreplies "I am out of the office" are not. :) On Thu, Feb 24, 2000 at 09:18:52PM -0300, Nelson wrote:The scene: user -> nelson pass -> ABC ON Connect Window, typed login == nelson and pass == ***(ABC), made a connection in my own ftp server. After this, I found this KEY in Windows REGISTRY: HKEY_CURRENT_USER -> Software -> FTP Explorer -> Profiles -> MY_OWN_SERVER and I found two values: Login = nelson Type = 4A4E52 Hmmm... looks like a encrypted password to me... Ok, the crypt function in FTP Explorer works like that: get the ascii hexa value and increment 9, if the position in password was changed, increment 3 per position. IN order words, a progression arithmetical. I made a code to proof this, look the result: unreal:~/temp$ ./ftpe-crypt -t 3 -i 9 -r 3 -s teste Criptografia do FTP Explorer v0.6b - por Nelson Brito unreal:~/temp$ more teste [...] A = 4A = 4D = 50 `-> correct B = 4B = 4E = 51 `-> correct C = 4C = 4F = 52 `-> correct [...] Well, the password is 'ABC'... Is it a big security hole? I think so... PS: The credits to begin this thread in BOS-Br<bos () sekure org> goes to Hever<Hever () vitech net>. PPS: Sorry about my poor ENGLISH. If don't understand, don't read. =) My proof... -------begin /* ** Este codigo demostra como funciona a "criptografia" do software FTP ** Explorer, levando-se em consideracao as informacoes passadas para a ** BOS-Br por Hever<Hever () vitech net>. ** ** author: Nelson Brito ** e-mails: nelson () sekure org & nelson () secunet com br ** program: ftpe-crypt.c ** ** ChangeLog: ** v 0.6b - arquivo de destino incluido(output file) ** - apartir desta versao sera' necessario a utilizacao de todos os ** argumentos na linha de comando ** v 0.5b - incluido opcoes longas na linha de comando ** - problemas da opcao '-h' corrigidos gracas a fpm :*( ) ) ** v 0.4 - opcoes de linha de comando acrescentadas, permitindo que o ** usuario "set" suas preferencias [a.k.a. getopt(3)] ** v 0.3 - adicionado argumentos passados para a funcao r2() ** - contador a ser usado em r2() como argumento ** v 0.2 - desenvolvimento das funcao r2() e inclusao de u_abort()) e ** logo() ** - o length do password foi aumentado ** v 0.1 - desenvolvimento inicial do esqueleto do programa, incluindo: ** > retirada dos caracteres especiais, ie, so' [a-z][A-Z][0-9] ** > uma simples PA, sem utilizacao de formula ou funcao ** ** Agradecimentos a drk, Morauder e fpm pela forca com o getopt(3). =) ** ** Como compilar(How to compile): ** lameness:~# gcc -Wall -O3 -g ftpe-crypt.c -o ftpe-crypt */ #include <stdio.h> #include <signal.h> #include <stdlib.h> #include <getopt.h> #include <unistd.h> #define VERSION "0.6b" int r2(int n, int p, int i, int b, FILE *fp){ n=((n+b)+(i*p)); fprintf(fp, "= %X ", n); return(n); } char usage(char *p){ fprintf(stderr, "use: %s -l <length> -i <increment> -r <ratio> -o <output-file>\n", p); fprintf(stderr, "example: %s -l 15 -i 9 -r 3 -o outlist\n", p); fprintf(stderr, "options:\n\t -l, --length password's length\n"); fprintf(stderr, "\t -i, --increment ASCII Table's increment\n"); fprintf(stderr, "\t -r, --ratio PA's ratio\n"); fprintf(stderr, "\t -o, --output output file\n"); fprintf(stderr, "\nfor ftpe's criptography use r=3, i=9\n"); exit(0); } int main(int ac, char **av){ FILE *outlist = NULL; register int a = 48; int r = 0, inc = 0, ct = 0, op; printf("FTP Explorer's Criptography v%s - by Nelson Brito\n", VERSION); if(ac != 9) usage(av[0]); while(1){ static struct option long_options[] = { {"length", 1, 0, 'l'}, {"ratio", 1, 0, 'r'}, {"increment", 1, 0, 'i'}, {"output", 1, 0, 'o'}, {0, 0, 0, 0} }; int option_index = 0; op = getopt_long(ac, av, "l:r:i:o:", long_options, &option_index); if (op == -1) break; switch(op){ case 'l': ct = atoi(optarg); break; case 'r': r = atoi(optarg); break; case 'i': inc = atoi(optarg); break; case 'o': if(!(outlist=fopen(optarg, "w"))){ printf("unable to open %s\n", optarg); exit(0); } break; default: usage(av[0]); break; } } while(a < 123){ if((a >= 58) && (a <= 64)){ printf("%c", (char)0); a++; } else if((a >= 91) && (a <= 96)){ printf("%c", (char)0); a++; } else{ register int c; fprintf(outlist, "%c ", (char)a); for(c = 0 ; c < ct ; c++) r2(a, c, r, inc, outlist); fprintf(outlist, "\n"); a++; } } fclose(outlist); return(1); } -------end Sem mais, -- Nelson - nb-- Seth Arnold | http://www.willamette.edu/~sarnold/ Hate spam? See http://maps.vix.com/rbl/ for help Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
Current thread:
- Wordpad vulnerability, exploitable also in IE for Win9x Georgi Guninski (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Kevin Day (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Scott (Feb 23)
- How the password could be recover using FTP Explorer's registry! Nelson (Feb 24)
- Re: How the password could be recover using FTP Explorer's registry! Seth R Arnold (Feb 25)
- Re: How the password could be recover using FTP Explorer's registry! Rishi Lee Khan (Feb 27)
- Re: How the password could be recover using FTP Explorer's registry! Mikael Olsson (Feb 26)
- Re: How the password could be recover using FTP Explorer's registry! Jeffrey Paul (Feb 28)
- How the password could be recover using FTP Explorer's registry! Nelson (Feb 24)
- lynx - someone is deaf and blind ;) Michal Zalewski (Feb 27)
- EZ Shopper 3.0 shopping cart CGI remote command execution suid () SUID KG (Feb 27)
- Re: EZ Shopper 3.0 shopping cart CGI remote command execution Alex Heiphetz (Feb 28)
- W2K & ~25000+ temp files = crash + corruption? Clifford Hammerschmidt (Feb 28)
- ALERT!: TendMicro InterScan (DOS & intrusion) Veille Technologique (Feb 28)
- Advisory: Foundry Networks ServerIron TCP/IP sequence predictability Andrew van der Stock (Feb 27)
- Re: Zonealarm exports sensitive data Brett Glass (Feb 25)