COMMAND

    CuteFTP

SYSTEMS AFFECTED

    CuteFTP 1.x, 2.x, 3.x (other kind of bug)

PROBLEM

    Nick  FitzGerald  found  following.   Another  case  of  very weak
    'protection'  of  secrets  in  Win32  network  client  software...
    Nick  came  across  the  following  while  investigating  why  the
    Melissa  macro  virus  variant  W97M/Melissa.M  was  interested in
    stealing a file called 'tree.dat' from victim machines.

    That file is the CuteFTP  v1.x and v2.x 'Site Manager'  data file,
    recording  site  names,  addresses,  site  preferences,   firewall
    information and (optionally) username and password data.  A  quick
    look at a sample  tree.dat after installing CuteFTP  suggested the
    passwords were 'encrypted' in a  very weak manner.  A  few moments
    digging revealed  that 'encrypted'  is too  strong a  term --  the
    stored value was the original permuted by the simple expedient  of
    adding 48h to the ASCII value  of each character.  The file  has a
    fairly  simple  binary  structure,  which  a few more minutes work
    would easily reverse but  the usernames and 'encrypted'  passwords
    are easily obtained with a hex file editor.

    This means  that stealing  of tree.dat  not only  allows the thief
    access via CuteFTP to any  'secrets' that may be recorded  in that
    file, but they  can also be  easily decoded for  other uses.   The
    v3.x releases of CuteFTP store this data in smdata.dat (the  virus
    does not look for that file)  but it has a very similar  appearing
    structure to  tree.dat and  uses the  same 'encryption'  of stored
    passwords.  This  is a moot  point anyways.   Anyone who can  grab
    your tree.dat or smdata.dat can  have your passwords even if  they
    were to be  strongly encrypted.   One would only  have to download
    and install their own copy  of cuteftp, stick the associated  .dat
    file  in  it's  path,  run  cuteftp,  and hit connect.  Your local
    machine or another on your network could easily run a sniffer  and
    grab your plain  text passwords as  your client connects.   If you
    don't want to  tip off the  admin of a  remote site that  you have
    one of their users passwords,  than just replace the real  servers
    IP with an ftp server you control.

    Briefly  looking  further,  we  can  note  the pre-v3.0 release of
    CuteFTP's INI  file includes  the plaintext  username and password
    for the  default firewall  configuration (if  one is  set).   This
    same data is stored in

        HKCU\Software\GlobalSCAPE\CuteFTP 3.0\CuteFTP

    (also in plain text) in version 3.56 (tested), and from the key
    name presumably all other v3.x releases.

SOLUTION

    NT users of CuteFTP would be  advised to update to a v3.x  release
    and apply adequate security to  the DAT file and the  registry key
    mentioned (and maybe  its siblings --  check for yourself  as Nick
    only found this because he was testing something unrelated to  his
    normal  concerns),  particularly   in  multiple-user   workstation
    situations.  Presumably users  of other OSes supported  by CuteFTP
    don't care too much about security anyway so this is not an  issue
    for them...

    A quick check of the CuteFTP Help files failed to find any mantion
    of the inherent  insecurity in the  chosen mechanisms for  storing
    these user details.