[[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration

[Daniel Nyström <exce () netwinder nu>]

Telhack 026 Inc. Security Advisory - #4
_________________________________________

Name: Blackmoon FTP Server 2.6 Free Edition
Impact: Medium
Date: May 21 / 2003
_________________________________________

Daniel Nyström a.k.a. excE <exce () netwinder nu>



_I N F O_

BlackMoon FTP Server is an FTP daemon written specifically for Windows 2000/XP and above. It takes advantage of all the 
new features in the mentioned oses like io completion ports, thread pooling, running as a system services, using 
built-in SSL certificate stores, authenticating against an Active Directory or remote NTLM, accessing network shares, 
impersonating an NT user and more. More at: www.blackmoonftpserver.com

The Non-free editions has not been tested.



_P R O B L E M_

There are two problems with this software.

* User/Password data is stored in plaintext
* Easy to enumerate usernames.



_I M P A C T_

Users with physicall access can steal the database and extract user/pass pairs from it.
Malicious remote users can detect valid usernames on the FTP server.



_E X P L O I T I N G_

The plaintext Usernames/Passwords are stored in the file blackmoon.mdb in the 
Blackmoon FTP directory. To extract them use standard Windows software such 
as MS Access or MS Excel.

To find out valid usernames/passwords you just look at the server responses.

Valid username with invalid password: 
530-Login incorrect. Name[ValidUser] Pass[NotValidPass]

Invalid username with invalid password:
530-Account does not exist. Name[NotValidUser]

A tool for enumerating users in a bruteforce manner will be available on www.telhack.tk next week.


Daniel Nyström, excE
----------------------------------
exce () netwinder nu
http://www.telhack.tk
http://exce.ath.cx