ws_ftp security design weaknesses allow malicious cracker to take advantage of cached passwords with weak encryption. Remote root compromise possible.
238edab4bc6e5f142419ec5e1ddc1910ecc64838274acce9252d7a9f1ce2ce6bHacking WS FTP.INI
------------------
```````````````````````````````````````````````````````````
` ``````````````````````````````````````````````````````` `
` ` ` `
` ` ` `
` ` ` `
` ` ` `
` ` ` `
` ` * ***** *********** ` `
` ` * * * * * ` `
` ` * * * * * ` `
` ` ******* ***** * ` `
` ` * * * * * ` `
` ` * * * * * ` `
` ` * * * * * * *********** * ` `
` ` ` `
` ` http://4n4rchy.hypermart.net ` `
` ` ` `
` ` ` `
` ` ` `
` ` ` `
` ``````````````````````````````````````````````````````` `
```````````````````````````````````````````````````````````
by, Netherpunk, Anarchist Rampage Inc.
I pretty much stumbled onto this bug by myself. Others have probably found it before me, so
I'll let you decide. I actually rewted a few web servers with this thing, so it can be pretty
usefull if you know what you are looking for.
First, most everything that has password options in windows gives you the option to save your
password, usually by checking a check box labeled "save password". Now, being a windows expert
myself, I could say that windows or the program will cache this password in some file very
lightly encrypted. Now this is not only stupid, but it is also a security risk if your
computer is accessable over any network. Never ever save your passwords anywhere. Memorise
them in your head. And also never use the same password for everything.
Now that we know Ws Ftp has the "save password" option, you will want to know where the password
is located. You guessed by the title of the text didn't you? WS_FTP.INI is the file that
stores the ftp sessions that are both default and user defined in Ws Ftp. Now when you open
WS_FTP.INI, you will find normail default settings. Here is an example of the default session to
winsite.com.
[WinSite]
HOST=ftp.winsite.com
UID=anonymous
[Smithsonian Images]
HOST=photo1.si.edu
UID=anonymous
DIR="/images/gif89a/"
Now let us view an example of an ftp session to a sample host with a cached password.
[Primehost]
HOST=sampleftp.host.com
UID=admin
PWD=VE0496D09AC505584A460E9F9B1ABCD9F79A4AB9E9B
PASVMODE=1
TIMEOFFSET=0
LOCDIR=\
rdir0="/"
rdir1="/Backups"
rdir2="/Website"
rdir3="/Website/Common"
ldir0=C:\
Notice the encypted password? Thats what we want to see.
Now that you know what you are looking for, where do you get it and what do you do with it.
Well, as for finding WS_FTP.INI, that is up to you. Some morons upload every file including
WS_FTP.INI to their site. You can also try computers in cyber cafes as well. Now, some might
do things the hard way and try to decrypt the password in some *nix platform. There are c
scripts that do this for .INI files. But what if you are on windows? Get Ws Ftp first of all.
Than copy the session from the victim's .INI and paste it in your own .INI file. Then open
Ws Ftp and connect. That's pretty simple, far to easy for most. Have fun.
This is a big security risk due simply to Ipswitch's lack of effort as far as security is
concerned. Ws Ftp or any FTP program for that matter, can be a big security risk for those who
aren't conscious about it. The bottom line is, never save your passwords. Cached password
files use weak encryption, and in some cases like that of WS_FTP.INI, anyone can use the cached
FTP session.
Happy Hacking!
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed