Date: Wed, 21 May 2003 01:30:07 +0200
From: =?iso-8859-1?Q?Daniel_Nystr=F6m?= <[email protected]>
To: [email protected]Subject: [[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration
Telhack 026 Inc. Security Advisory - #4
_________________________________________
Name: Blackmoon FTP Server 2.6 Free Edition
Impact: Medium
Date: May 21 / 2003
_________________________________________
Daniel Nystr=F6m a.k.a. excE <[email protected]>
_I N F O_
BlackMoon FTP Server is an FTP daemon written specifically for Windows =
2000/XP and above. It takes advantage of all the new features in the =
mentioned oses like io completion ports, thread pooling, running as a =
system services, using built-in SSL certificate stores, authenticating =
against an Active Directory or remote NTLM, accessing network shares, =
impersonating an NT user and more. More at: www.blackmoonftpserver.com
The Non-free editions has not been tested.
_P R O B L E M_
There are two problems with this software.
* User/Password data is stored in plaintext
* Easy to enumerate usernames.
_I M P A C T_
Users with physicall access can steal the database and extract user/pass =
pairs from it.
Malicious remote users can detect valid usernames on the FTP server.
_E X P L O I T I N G_
The plaintext Usernames/Passwords are stored in the file blackmoon.mdb =
in the=20
Blackmoon FTP directory. To extract them use standard Windows software =
such=20
as MS Access or MS Excel.
To find out valid usernames/passwords you just look at the server =
responses.
Valid username with invalid password:=20
530-Login incorrect. Name[ValidUser] Pass[NotValidPass]
Invalid username with invalid password:
530-Account does not exist. Name[NotValidUser]
A tool for enumerating users in a bruteforce manner will be available on =
www.telhack.tk next week.
Daniel Nystr=F6m, excE
----------------------------------
[email protected]http://www.telhack.tkhttp://exce.ath.cx
