[NEWS] SurgeFTP Administrative Account Can be Easily Brute Forced

From: support@securiteam.com
Date: 08/11/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] SurgeFTP Administrative Account Can be Easily Brute Forced
Message-Id: <20010811111943.A610E138BF@mail.der-keiler.de>
Date: Sat, 11 Aug 2001 13:19:43 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  SurgeFTP Administrative Account Can be Easily Brute Forced
------------------------------------------------------------------------

SUMMARY

 <http://www.netwinsite.com/surgeftp/> SurgeFTP uses the same weak hashing
algorithm as the <http://www.securiteam.com/securitynews/5HP0L0U4UM.html>
NWAuth module to store the administrative password, but adds a fixed
'salt' value (which is "qr") making it even weaker against a password
cracking brute force attack against the administrative account.

DETAILS

Vulnerable systems:
SurgeFTP version 2.0f and prior

When the SurgeFTP administrator sets his account name and password
(SurgeFTP does not work without it), this information is written to the
file 'admin.dat'. An entry that resembles the following is created:
admin:qrQ\Wd

This file is used to authenticate an administrator basic HTTP
authentication via the web server that resides on TCP port 7021 (this is
the default port used).

From an attacker standpoint, we can crack the SurgeFTP computer by using
weaknesses in the way the administrative password is stored (it is better
if you think of it as cracking the hashes using their associated
passwords, then cracking the passwords themselves) :
a) The password hash always begins with "qr" (the 'salting' value) this
introduces a weakness, since this value is used in the hashing algorithm
and makes certain hashes impossible since they do not match any password
b) Every character of the password goes through some calculations (using
the salting variable) and goes through a modulo 40. Meaning the possible
hashes are at maximum 40 x 40 x 40 for any three character passwords (And
even a lot less because of reason a).
c) Since certain hashes have more passwords associated with them, we can
minimize the password list even further.

Impact:
Since the SurgeFTP administrator account has read/write/delete privileges
to all resources, the impact of brute forcing the account is quite high.
The password can easily be guessed for passwords of up to 5 to 6
characters. Moreover, when installing SurgeFTP, there is no possible way
of enabling a better hashing algorithm for the admin account, nor can web
administration be disabled when running the server (you should block TCP
port 7021 on the firewall). The mitigating factors are that 1) an attacker
has to know the login name of the administrator account (we can only
assume this will be set to "admin" but it can be anything) and 2)
passwords of more than 6 characters start to take time to crack unless we
limit ourselves to certain password compositions.

Solution:
Block TCP port 7021 on the firewall.

ADDITIONAL INFORMATION

The information has been provided by <mailto:byterage@YAHOO.COM>
ByteRage.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: iMAC 21.5-inch: 3.2GHz Core i3 ??
    ... And if you do install ... The initial user account Mac OS X creates during installation is indeed ... normal users for the username and password of an administrator when you ... Could you use an administrative account daily without adverse effects? ...
    (comp.sys.mac.system)
  • Re: auto-login multiple accounts
    ... If you go out of your way to look on the Apple support ... The initial user account Mac OS X creates during installation is indeed ... for the username and password of an administrator when you attempt to do ... Could you use an administrative account daily without adverse effects? ...
    (comp.sys.mac.system)
  • Re: higher security for user accounts?
    ... He is probably simply booting into safe mode, and making use of fact that ... vendors leave the password of the built-in Administrator account blank. ... > administrative account, or have the settings locked on only one ...
    (microsoft.public.windowsxp.security_admin)
  • Re: w2k3 server admin disabled
    ... I would not recommend configuring 2 part authentication on the administrator ... This is the last resort administrative account and should not rely on ...
    (microsoft.public.windows.server.setup)