Total Commander Weak Encryption Algorithm Lets Local Users Obtain FTP Passwords
|
|
SecurityTracker Alert ID: 1015311 |
|
SecurityTracker URL: http://securitytracker.com/id/1015311
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 6 2005
|
Impact:
Disclosure of authentication information
|
|
Version(s): 6.53
|
Description:
Juha-Matti Laurio reported a vulnerability in Total Commander. A local user can obtain password information.
The Total Commander file manager/FTP client utility uses a weak encryption algorithm to store internal FTP account information in the 'WCX_FTP.INI' file. A local user can obtain FTP username and password information.
The W32.Gudeb worm reportedly exploits this vulnerability to gather FTP usernames and passwords.
The vendor was notified on December 3, 2005.
The advisory is available at:
http://www.networksecurity.fi/advisories/total-commander.html
|
Impact:
A local user can obtain FTP usernames and passwords.
|
Solution:
No solution was available at the time of this entry.
As a workaround, the user can choose to not save FTP connections.
|
Vendor URL: www.ghisler.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 3 Dec 2005 06:10:26 +0200 (EET)
Subject: Total Commander WCX_FTP.INI Weak FTP Account Information Encryption
|
Description:
Total Commander file manager/FTP client utility is confirmed as affected to weak
account information encryption vulnerability. The vulnerability is caused due to weak
encryption algorithm used when internal FTP account information is saved to the
configuration file WCX_FTP.INI. Both username and password are saved to the file
located at directory from %System% variable.
This is reportedly being exploited by a new W32.Gudeb worm. W32.Gudeb spreads via FTP
and gathers valid accounts from Total Commander configuration file. This malware
searches for the file %System%\WCX_FTP.INI and gathers valid username and password
details. If this operation is successful, it will reportedly upload a copy of itself
to the newly compromised computers.
Example (C:\WINNT\wcx_ftp.ini etc.):
---clip---
[OldConnections]
0=ftp.removed.com
[connections]
1=Homepage
[Homepage]
host=ftp.removed.com
username=www.removed.fi
password=CF6ECD90B708F354B2CF41AAA833 (*)
directory=/pictures
---clip---
*) the content of the password field changed due to security/privacy reasons
> From the vendor:
"Total Commander is a file manager for Windows, a program like Windows Explorer to
copy, move or delete files. However, Total Commander can do much more than Explorer,
e.g. pack and unpack files, access ftp servers, compare files by content, etc!"
This product was earlier known as Windows Commander.
Affected versions:
The vulnerability has been confirmed in version 6.53 for Windows. Other previous
versions may also be affected.
Exact TOTALCMD.EXE version: 6.5.3.0
Software:
Total Commander 6.x
OS:
Microsoft Windows 2000 Professional SP4 fully patched tested
Vendor:
C. Ghisler & Co.
http://www.ghisler.com/
Product Home Page:
http://www.ghisler.com/
Author: Christian Ghisler
Vendor was contacted on 3rd December, 2005.
Solution status:
No updated version available from the vendor at the time of reporting.
Workaround:
Do not save FTP connections.
References:
http://securityresponse.symantec.com/avcenter/venc/data/w32.gudeb.html
CVE information: N/A
Credit information:
This vulnerability is researched by Juha-Matti Laurio, Networksecurity.fi
Timeline:
02-Dec-2005 - Vulnerability researched and confirmed
03-Dec-2005 - Detailed research, new FTP hosts tested
03-Dec-2005 - Vendor contacted, workaround delivered to the vendor
03-Dec-2005 - Security companies and several CERT units contacted
Reference URL is coming in a separate message.
Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
|
|
