lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050904065926.30695.qmail@securityfocus.com>
Date: 4 Sep 2005 06:59:26 -0000
From: medhead@...gmandesign.com
To: bugtraq@...urityfocus.com
Subject: Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC


QUOTED FROM FILEZILLA FORUM POST: I AM IN NO WAY CONNECTED WITH FILEZILLA DEVELOPMENT, NOR DO I SPEAK ON BEHALF OF FILEZILLA. WHAT IS WRITTEN BELOW HAS BEEN COPIED FROM THE FILEZILLA FORUM POST.

http://filezilla.sourceforge.net/forum/viewtopic.php?t=1328

Preface: There is no know security vulnerability in FileZilla, the reported vulnerability is a hoax.

Recently someone reported an alleged security vulnerabilty in FileZilla. But very quickly it became visible that the problem is not a vulnerability at all, but infact a fundamental issue of every single program that can store passwords transparently.
Despite my reply the vulnerabilty got releases to several security sites. Someone even posted some sort of exploit: Sourcecode that decrypts the stored passwords of FileZilla. But how could this be an exploit? In order to connect to a server with the encrypted passwords, FileZilla itself has to decrypt it. And since FileZilla is open source (basically every single program is, just look at the machine code), everyone can decrypt the passwords with little effort.

The used encryption method to store the passwords is a very simple algorithm. It hasn't been designed to be cryptographically strong, it shouls just obscure passwords.
In fact it is impossible to transparently store passwords securly, see below for reasons.

So since the vulnerabilty report got released despite my explanations, I can only assume that the author has either very little experience or, what I don't hope, this is an attempt to discredit FileZilla.

--------

FILEZILLA DEVELOPER REPLIES TO ORIGINAL EMAIL

--------

Hi,

thanks for your concern about FileZilla. I would like to clarify that
this is not a security vulnerabilty. The password encryption has never
been designed to be secure, it's just meant to obfuscate the password.

In order to use the stored passwords, FileZilla itself has to be able to
decrypt the passwords, for this it needs the encryption key to be stored
along with the encrypted passwords. In this case the key is stored
inside the executable.
This is no different than with any other program that can store
passwords transparently: It's never secure and can always be cracked
with very little effort. This is especially true for open source
software where everyone can inspect the encryption code.

But there are a few ways to store passwords in a secure. I'll add a few
comments on all of them

1. Don't save passwords at all. Implemented in FileZilla, chose "Secure
mode" during setup.
2. Don't store the password itself, store hashes. This won't work for
FTP as FTP needs to send original passwords and hashes aren't reversible.
3. Encrypt settings using a master password, don't save the master
password at all, request it from the user on startup. Not implemented in
FileZilla, partially because of
4. Use the tools the operating system provides to protect data, that is
access rights and file encryption. Though obviously the user has to
setup this for himself.

Thus said, for FileZilla 3 I even plan to omit password obfuscation by
default. Transparent password storage is equally secure when passwords
are stored in plaintext.

Regards,
Tim Kosse


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ