Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC

From: Nick Boyce (nick.boyce_at_gmail.com)
Date: 09/05/05

  • Next message: bhfh_at_walla.com: "PHP-Nuke"
    Date: Mon, 5 Sep 2005 16:57:15 +0000
    To: bugtraq@securityfocus.com
    
    

    On 2 Sep 2005 13:59:49 -0000, m123303[ - at - ]richmond.ac.uk wrote:

    > Vulnerability summary
    > - ---------------------
    [...]
    > There exists a problem in the way the XOR encryption is implemented
    > because the same cipher key is always used. This key is
    > hard-coded, which means that anyone can analyze the source code of
    > the application and find it. Of course, this wouldn't be
    > so easy if FileZilla wasn't an open source application.
    [...]

    Okay .. so (assuming that's a problem) what do you suggest is done by
    the FileZilla folks about this, given that we've already established
    ad nauseam that the best you can ever achieve in these circumstances
    is to obfuscate the key ?

    See http://marc.theaimsgroup.com/?l=bugtraq&m=112500510209243&w=2

    > Solution
    > - --------
    > Choose "Use secure mode" during the installation (this disables
    > FileZilla from saving passwords), lockdown your client
    > machines where the FileZilla client is installed,

    Well, duh ... I always do this with my FileZilla installations - don't
    you ? I keep precious passwords somewhere else much safer. That's
    /why/ the FileZilla installer warns you about this and suggests you
    use secure mode if you're on a multi-user (or otherwise untrustable)
    machine.

    Keeping passwords in the registry, or an XML file (or indeed anywhere
    at all that doesn't in turn require yet another password to access)
    can only ever be a convenience-vs-security trade-off. No matter how
    "strongly" you garble the password for storage, if the source code is
    available then it won't be long before someone works out how to
    ungarble it - and even if the source code is *not* released it won't
    slow the Bad Guys down much.

    > ... or update to a patched version which fixes this issue (if available).

    Um, how can the FileZilla folks patch the problem, without again
    releasing the source code of the "new improved" algorithm and/or key ?

    Cheers,

    Nick Boyce
    Bristol, UK


  • Next message: bhfh_at_walla.com: "PHP-Nuke"

    Relevant Pages

    • RE: FileZilla weakly-encrypted password vulnerability: advisory + PoC
      ... How hard would it be to use a passphrase to encrypt the passwords? ... Subject: FileZilla weakly-encrypted password vulnerability: advisory ... "strongly" you garble the password for storage, if the source code is ...
      (Bugtraq)
    • RE: FileZilla weakly-encrypted password vulnerability: advisory + PoC
      ... The below posting is evidence that the FileZilla developers are infected ... even have set up encryption for his home directory too. ... The correct place for a file that contains a user's passwords in ... > The used encryption method to store the passwords is a very ...
      (Bugtraq)
    • Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC
      ... QUOTED FROM FILEZILLA FORUM POST: I AM IN NO WAY CONNECTED WITH FILEZILLA DEVELOPMENT, NOR DO I SPEAK ON BEHALF OF FILEZILLA. ... But very quickly it became visible that the problem is not a vulnerability at all, but infact a fundamental issue of every single program that can store passwords transparently. ... The used encryption method to store the passwords is a very simple algorithm. ...
      (Bugtraq)
    • [NEWS] Linksys EtherFast Security Vulnerability (Username and Password Disclosure)
      ... Passwords for the router and the users ISP account can be viewed ... in the HTML source code stored on the router. ... The login passwords for both the router and the users ISP are passed to ... be viewed during transmission to the administrator's browser. ...
      (Securiteam)
    • Re: Py2Exe security
      ... i used to work in a place that did this exact same thing. ... to hide passwords in source code. ... there is an even bigger problem with this then security of it in source ...
      (comp.lang.python)