Full Disclosure mailing list archives
Re: [Full-disclosure] New Tool - Flashfxp Password Decryptor Released !
From: Valdis.Kletnieks () vt edu
Date: Mon, 09 May 2011 13:30:06 -0400
On Mon, 09 May 2011 19:12:52 +0200, Nicolai () nxtgn org said:
How is this a "terribly mistake"?
Which is stronger, a password made of 16 characters chosen from the 256-character set 0x0..0xff, or 16 characters chosen from the 62-character set [A-Za-z0-9]? Of course, the fact it's a magic string at all is even more egregious.
If people use the "Site > Security > Set password" then this program can't decrypt the "sites".
And I want a pony. Hint: If you use "set password" where does it get stored? And is it just a case of "it's still an XOR and easily undone, just with a string you have to fetch rather than a fixed string"? A case can be made that this: SITEPASS1="xor-ed bit mess" SITEPASS2="another xor-ed mess" MAGICPASS="string the user entered" is even *easier* for an attacker to deal with than having to crowbar the magic string out of the Flash FPX binary.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New Tool - Flashfxp Password Decryptor Released ! Nagareshwar Talekar (May 09)
- Re: New Tool - Flashfxp Password Decryptor Released ! Valdis . Kletnieks (May 09)
- Re: [Full-disclosure] New Tool - Flashfxp Password Decryptor Released ! Nicolai (May 09)
- Re: [Full-disclosure] New Tool - Flashfxp Password Decryptor Released ! Valdis . Kletnieks (May 09)
- Re: New Tool - Flashfxp Password Decryptor Released ! Alexander Cherepanov (May 09)
- Re: [Full-disclosure] New Tool - Flashfxp Password Decryptor Released ! Nicolai (May 09)
- Re: New Tool - Flashfxp Password Decryptor Released ! Valdis . Kletnieks (May 09)