|
Telhack 026 Inc. Security Advisory - #4 _________________________________________ Name: Blackmoon FTP Server 2.6 Free Edition Impact: Medium Date: May 21 / 2003 _________________________________________ Daniel Nystr=F6m a.k.a. excE <exce@netwinder.nu> _I N F O_ BlackMoon FTP Server is an FTP daemon written specifically for Windows 2000/XP and above. It takes advantage of all the new features in the mentioned oses like io completion ports, thread pooling, running as a system services, using built-in SSL certificate stores, authenticating against an Active Directory or remote NTLM, accessing network shares, impersonating an NT user and more. More at: www.blackmoonftpserver.com The Non-free editions has not been tested. _P R O B L E M_ There are two problems with this software. * User/Password data is stored in plaintext * Easy to enumerate usernames. _I M P A C T_ Users with physicall access can steal the database and extract user/pass = pairs from it. Malicious remote users can detect valid usernames on the FTP server. _E X P L O I T I N G_ The plaintext Usernames/Passwords are stored in the file blackmoon.mdb = in the=20 Blackmoon FTP directory. To extract them use standard Windows software = such=20 as MS Access or MS Excel. To find out valid usernames/passwords you just look at the server = responses. Valid username with invalid password:=20 530-Login incorrect. Name[ValidUser] Pass[NotValidPass] Invalid username with invalid password: 530-Account does not exist. Name[NotValidUser] A tool for enumerating users in a bruteforce manner will be available on = www.telhack.tk next week. Daniel Nystr=F6m, excE ---------------------------------- exce@netwinder.nu http://www.telhack.tk http://exce.ath.cx