Bad Encryption in GoodTech FTP Server
Results 1 to 10 of 10

Thread: Bad Encryption in GoodTech FTP Server

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735

    Bad Encryption in GoodTech FTP Server

    Recently I installed GoodTech FTP Server for Windows 95/98 V3.0 onto my Windows box. So I played with it for a while and found out some stuff about the way it saves it passwords by looking at its passwd file.

    Basically it creates a username/password file where it stores the accepted (valid) usernames and their respective passwords. However, to my shock and horror ( :P ), the way the passwords are encrypted has nothing to do with the username at all, like in DES, where the username has an affect on the ciphertext version on the password, if you understand what I mean...

    So a password "whatever" with username "jethro", would equal an encrypted version of the same password, "whatever", with a completely different username, "geergeger". The password is made in the following way:



    test3 ** 0


    The spaces at the start middle and end are useless, as is the 0 at the end, which I think signifies the end of the password. The spaces in the middle are a lot bigger than what I have conveyed them here so I just decided to shorten it down a bit.

    So after more experimenting, I found out what each encrypted letter's plaintext is. Here's the alpha-numerical alphabet: (it's a simple letter-replacement setup)


    - 0
    - 1
    - 2
    - 3
    - 4
    - 5
    - 6
    - 7
    - 8
    - 9

    - a
    - b
    - c
    - d
    - e
    - f
    - g
    - h
    - i
    - j
    - k
    - l
    - m
    - n
    - o
    - p
    - q
    - r
    - s
    - t
    - u
    - v
    - w
    - x
    - y
    - z

    - A
    - B
    - C
    - D
    - E
    - F
    - G
    - H
    - I
    - J
    - K
    - L
    - M
    - N
    - O
    - P
    - Q
    - R
    - S
    - T
    - U
    - V
    - W
    * - X
    * - Y
    - Z

    So anybody (even "guest") with improperly set permissions (you have to set the permissions yourself, in a seperate file. Somebody might be stupid enough to forget to do this because the server works without it) could issue a ``GET`` command for the passwd file and get the ``encrypted`` passwords for any user.

    Also, if you notice, every second letter has the same letter to substitute for it, so "-" means both X and Y and "" means both P and Q. So if someone was to brute-force the server, the passwords would be much easier to crack.

    <Edit> I had to reword this whole post because someone PMed me and said they couldn't understand it. I hope it makes more sense now, as looking back on it, there were a lot of typographical errors </Edit>

    GoodTechSys.com

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    Wow, that's very good work, jethro. Congratulations on finding this out, and I suggest that you, as a smart and noble person, report your discovery to the company who distributed this FTP client to let them change it for the better.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    Hmm good idea... Maybe they'll give me some money or something...

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    Originally posted here by jethro
    Hmm good idea... Maybe they'll give me some money or something...
    Somehow I doubt it ... I brief glance at their description of the product doesn't imply any security features, although as you say, single 'letter' substitution is about the weakest encryption method that you can use.
    However, I see they also offer a 'Secure network for Windows98 etc.", so it would be interesting to know what encryption method they use for passwords on that product.
    Including the username in such a basic encryption method would not make that much difference

  5. #5
    Banned
    Join Date
    Jun 2002
    Posts
    458
    I understand that they would be easy to decrypt, but how could people get the password file?

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    Update from the guys at GoodTech Systems...

    -----Message from GoodTech Systems-----
    From: Technical Support [mailto:support@goodtechsys.com]
    Sent: Thursday, June 27, 2002, 6:36PM
    To: jethrojones@gmx.net
    Subject: Re: Weak Encryption


    Hi Jethro,

    I saw that you used our 95/98 ftp server, and in this version we use our own
    method of saving the usernames and passwords. Windows 95/98 does not have a
    build in security like Windows NT/2000 and XP. If you use our Windows
    NT/2000/XP product you will notice that we use the build in security of
    Windows that does save passwords in a secure manner (encrypted).

    Regards,

    Rony,
    Technical Support,
    GoodTech Systems.
    Are they admitting that they have bad security? They advise me to install the FTP server for a completely different OS. Yes NT/2000 and XP does have better security, but does that change the fact that people using Windows 95 or Windows 98 are vulnerable if they have this software installed?
    I think this company are going to (much like politicans) dance around the issues or the question and nothing I say is going to help that.
    I'd just like to know, does anybody else use this FTP server? Because if it's not as popular as I think it is, then I suppose it's not a big issue.


    -----Original Message-----
    From: Jethro Jones [mailto:jethrojones@gmx.net]
    Sent: Thursday, June 27, 2002 1:36 PM
    To: support@goodtechsys.com
    Subject: Weak Encryption


    Recently I downloaded your evaluation FTP server, only to discover that it
    had a very weak encryption method, which is a simple letter substitution
    method. Isn't this a terrible security risk to anybody who has not setup
    permissions properly on their accounts?

    I made the following post on a security-related website: (I am Jethro)
    http://www.antionline.com/showthread...&postid=543505

    It outlines my findings. I suggest you use a method of encryption such as
    MD5, DES or even RSA.

    I await your reply,
    Declan "Jethro" Snowden.
    Originally posted here by khakisrule
    I understand that they would be easy to decrypt, but how could people get the password file?
    FTP to the account and issue a GET command.

  7. #7
    Banned
    Join Date
    Oct 2001
    Posts
    263
    um, its my understanding that in a *nix /etc/passwd (assuming your not using shadow, if you are it still works but in the file /etc/shadow insted) file you can just copy your personal shells hash to another users password block and then their password becomes your password........ am i wrong?

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    But, I'm not talking about the /etc/passwd file. In fact, I'm not even talking about *nix. The software creates *its own* passwd file, you use specifically with the FTP server...

    Originally posted here by LoggOff
    um, its my understanding that in a *nix /etc/passwd (assuming your not using shadow, if you are it still works but in the file /etc/shadow insted) file you can just copy your personal shells hash to another users password block and then their password becomes your password........ am i wrong?

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Originally posted here by jethro
    But, I'm not talking about the /etc/passwd file. In fact, I'm not even talking about *nix. The software creates *its own* passwd file, you use specifically with the FTP server...
    Well, that's certainly better than it using the system password file, in any case. Presumeably the daemon can be relegated to particular directories where the password file does not reside and, thusly, can not be "got at" through the daemon itself.

    Also, I believe they might want an upgrade in the system because of some of the "crypto" that ships with the system? I seem to remember certain VPNs and similiar sysytems that, if on Win95 or early 98, require an additional crypto package in order to work. I could be mis-remembering that, however - it's been a while since I've installed it.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  10. #10
    Banned
    Join Date
    Oct 2001
    Posts
    263
    ok yes i realise that, im not saying otherwise, im just asking......
    also...... dosnt that 1 for 1 character substitution scheme count as a simple cypher? i mean its technicly no differnt than the cryptoquote in the newspaper......... mabee even simpler cause it stays the same....... i mean hello! can they do anything stupider? might as well save it in plaintext if the servers security relies on your keeping the password file seperate

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •