Date: 3 Jan 2005 16:57:18 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] ArGoSoft FTP Server Reveals Valid Usernames and Allows Brute Forcing Attacks
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ArGoSoft FTP Server Reveals Valid Usernames and Allows Brute Forcing
Attacks
------------------------------------------------------------------------
SUMMARY
<http://www.argosoft.com/ftpserver/>; ArGoSoft FTP Server is "a
lightweight FTP Server for Microsoft Windows platforms". Two
vulnerabilities exist in ArGoSoft, one allows enumerating the existing
user database of the FTP program, the other allows executing a brute force
attack without the server executing any type of defense against it.
DETAILS
Username disclosure:
Versions prior to 1.4.2.1 will disclose whether or not a supplied username
is valid or not. A login name supplied with the USER command will not be
accepted unless it is valid. If the username is invalid it will return a
message similar to:
530 User NAME_HERE does not exist
otherwise it will accept the username and ask for the password. Version
1.4.2.1 and beyond have fixed this problem and will ask for a password
regardless of whether or not the username actually exists. The vendor was
quick to fix this and released a new version relatively shortly after the
issue was reported.
Brute Force:
However, another issue is still at large with ArGOSoft's FTP Server. This
issue exists in the current version (1.4.2.4) and in previous versions.
ArGoSoft FTP Server does not have a limit to the number of tries that can
be entered for a username/password combination before it terminates the
connection. It will allow and unlimited number of login attempts. This
issue in conjunction with the previously mentioned one would not only
allow for brute force password cracking of a known username, but for a
quick brute force attack to find valid usernames. It might also be worth
mentioning that there also does not appear to be any type of login timeout
for the login process. This issue was also reported to the vendor at the
same time as username problem.
Solutions:
Upgrade to the latest version at the ArGoSoft website. As for the brute
force issue, perhaps that will be fixed in the future. Just make your
passwords difficult, keep your login name(s) secure, and turn on logging
and monitor it.
ADDITIONAL INFORMATION
The information has been provided by <mailto:steven@lovebug.org.> steven.
The original article can be found at:
<http://www.lovebug.org/argosoft_advisory.txt>;
http://www.lovebug.org/argosoft_advisory.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
