Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC

From: Nick Boyce (nick.boyce_at_gmail.com)
Date: 09/05/05

  • Next message: bhfh_at_walla.com: "PHP-Nuke"
    Date: Mon, 5 Sep 2005 16:57:15 +0000
    To: bugtraq@securityfocus.com
    
    

    On 2 Sep 2005 13:59:49 -0000, m123303[ - at - ]richmond.ac.uk wrote:

    > Vulnerability summary
    > - ---------------------
    [...]
    > There exists a problem in the way the XOR encryption is implemented
    > because the same cipher key is always used. This key is
    > hard-coded, which means that anyone can analyze the source code of
    > the application and find it. Of course, this wouldn't be
    > so easy if FileZilla wasn't an open source application.
    [...]

    Okay .. so (assuming that's a problem) what do you suggest is done by
    the FileZilla folks about this, given that we've already established
    ad nauseam that the best you can ever achieve in these circumstances
    is to obfuscate the key ?

    See http://marc.theaimsgroup.com/?l=bugtraq&m=112500510209243&w=2

    > Solution
    > - --------
    > Choose "Use secure mode" during the installation (this disables
    > FileZilla from saving passwords), lockdown your client
    > machines where the FileZilla client is installed,

    Well, duh ... I always do this with my FileZilla installations - don't
    you ? I keep precious passwords somewhere else much safer. That's
    /why/ the FileZilla installer warns you about this and suggests you
    use secure mode if you're on a multi-user (or otherwise untrustable)
    machine.

    Keeping passwords in the registry, or an XML file (or indeed anywhere
    at all that doesn't in turn require yet another password to access)
    can only ever be a convenience-vs-security trade-off. No matter how
    "strongly" you garble the password for storage, if the source code is
    available then it won't be long before someone works out how to
    ungarble it - and even if the source code is *not* released it won't
    slow the Bad Guys down much.

    > ... or update to a patched version which fixes this issue (if available).

    Um, how can the FileZilla folks patch the problem, without again
    releasing the source code of the "new improved" algorithm and/or key ?

    Cheers,

    Nick Boyce
    Bristol, UK


  • Next message: bhfh_at_walla.com: "PHP-Nuke"