what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

argosoft_advisory.txt

argosoft_advisory.txt
Posted Jan 2, 2005
Authored by Steven | Site lovebug.org

Versions prior to 1.4.2.1 of the ArGoSoft FTP server will disclose whether or not a supplied username is valid or not. A login name supplied with the USER command will not be accepted unless it is valid.

tags | advisory
SHA-256 | 89ccfd2a196725b8e9084c125c42f0d20b43c9aa550dedd42679aa8a4121ac54

argosoft_advisory.txt

Change Mirror Download
Vendor:   ArGoSoft
Date: December 31, 2004
Issue: ArGoSoft FTP Server reveals valid usernames and allows for brute
force attacks
URL: https://www.argosoft.com/ftpserver/
Advisory: https://www.lovebug.org/argosoft_advisory.txt

Program Overview:

ArGoSoft FTP Server is a lightweight FTP Server for Microsoft Windows
platforms. The program "supports all basic FTP commands, and much more,
such as passive mode, resuming file transfers, windows shortcuts to
another files, folders and drives (including network drives), virtual
domains (multiple IP homes), IP filtering, site specific commands, such as
compressing and copying files on the server, changing date/time stamps,
and so on." It is fairly simple to use and configure and subsequently
does not take much time to get up and running.


Issues:

1.

Versions prior to 1.4.2.1 will disclose whether or not a supplied username
is valid or not. A login name supplied with the USER command will not be
accepted unless it is valid. If the username is invalid it will return a
message similar to:

530 User NAME_HERE does not exist

otherwise it will accept the username and ask for the password. Version
1.4.2.1 and beyond have fixed this problem and will ask for a password
regardless of whether or not the username actually exists. The vendor was
quick to fix this and released a new version relatively shortly after the
issue was reported.

2.

However, another issue is still at large with ArGOSoft's FTP Server. This
issue exists in the current version (1.4.2.4) and in previous versions.
ArGoSoft FTP Server does not have a limit to the number of tries that can
be entered for a username/password combination before it terminates the
connection. It will allow and unlimited number of login attempts. This
issue in conjunction with the previously mentioned one would not only
allow for brute force password cracking of a known username, but for a
quick brute force attack to find valid usernames. It might also be worth
mentioning that there also does not appear to be any type of login timeout
for the login process. This issue was also reported to the vendor at the
same time as username problem.


Solutions:

Upgrade to the latest version at the ArGoSoft website. As for the brute
force issue, perhaps that will be fixed in the future. Just make your
passwords difficult, keep your login name(s) secure, and turn on logging +
monitor it.


Credits:

My recent free time -- which has enabled me to type all of this up. HAPPY
NEW YEAR!

Also: Go Virginia Tech, let's beat Auburn in the Sugar Bowl :)

-Steven
steven@lovebug.org
www.lovebug.org
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close