what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FTP Rush 2.1.8 X.509 Validation

FTP Rush 2.1.8 X.509 Validation
Posted May 21, 2014
Authored by Micha Borrmann | Site syss.de

FTP Rush version 2.1.8 fails to validate X.509 certificates.

tags | advisory
SHA-256 | 08db1ca6e7f0ad3753320343d94123a3e0682c3ebd85684834dbf71b50e8349d

FTP Rush 2.1.8 X.509 Validation

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2014-002
Product: FTP Rush
Vendor: Wing FTP Software
Affected Version(s): v2.1.8
Tested Version(s): v2.1.8 (Windows 7 32 bit and Windows 8.1 64 bit)
Vulnerability Type: X.509 validation
Risk Level: Medium
Solution Status:
Vendor Notification: 2014-04-04
Solution Date:
Public Disclosure: 2014-05-19
CVE Reference: Not assigned, (but similiar to CVE-2012-6606)
Author of Advisory: Micha Borrmann (SySS GmbH)

Overview:
FTP Rush does not validating X.509 certificates, if FTP with TLS is used

Vulnerability Details:
A user can not recognize an easy to perform
man-in-the-middle attack, because the client is not validate the X.509
certificate from the FTP server. In an untrusted networking
environment (like a Wifi hotspot), the current FTP AUTH TLS connection
with FTP Rush should be classified as not encrypted.

Proof of Concept (PoC): not needed

Solution: use another client for FTP with AUTH TLS

Disclosure Timeline:
April 3, 2014 - Vulnerability discovered
April 4, 2014 - Vulnerability reported to vendor
May 19, 2014 - Vulnerability disclosure, after a period of 45 days for
a responsible disclosure

Credits:
Security vulnerability found by Micha Borrmann of the SySS GmbH.

Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS web site
(https://www.syss.de/aktuelles/advisories/advisory-ftp-rush/)

Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTefx8AAoJEPxn66kbURKKFw8P/R1/D7b8GoZTQtPe2Rj/w6Sx
KakOOZ5IOEgbZP9pl6vOQBCCOWfipJFgVCSoF9BYUOJ9k/fM7inQZl7e4BRBIfGR
2bJveIe+VScTnDQ+yt56TKo6jSMvdszwcBrNTTI+cTn1CvlWBJiDAjHj6SWDCWRe
47tT7LMtOCL8bA/EAacfxWxAJFv2Zu45rkSqGXvKxz987Ss1CuuMUHQ6BzyggcCS
GvvfojwvNDOK77C+uYAdnqcyaWmepX++T9FmQbvjOulrysN4LamvdfpzlOt1ZxTe
Mcw03Y/ERTrEZkNfahk98LwklceImp0ZozJWazmFaBwEUuKGXJNeBniq+RE7PORq
e1cZ5zBsD4xiO3OoFwzV/GvP/2/O/I4hPI9WbfhjaZ2A1bGEv3hofy4HWPUKk8w3
aclr7pyY8CqhwY6ZPzV1euhpM2sVzfUTdf2NcNVY6Ra3dbj+QkqgYI6xyRtXSEvS
cLElul4ihD9fd0asY6Iczl6bXLUj5tWAHlYR0hz59NJiJBFlWgf+bf44SqmCel+x
qh1P66/CbFWjWvit60FmYL+nPYxjXc2ygo7bYu84uwzs06z/zcuVVlJSpSuUl2WG
dbr9dTL+aQys7zAbLCsh5DnqRmWiMNM4z/V+CRiZuZLRaPVlclPJTeBAxSeZpOuP
MwOf6Izjw169Ih5Dw1dT
=pJ3c
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close