|
Vendor:
ArGoSoft
Date: December 31, 2004 Issue: ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks URL: http://www.argosoft.com/ftpserver/ Advisory: http://www.lovebug.org/argosoft_advisory.txt Program Overview:
ArGoSoft FTP Server is a lightweight FTP Server for
Microsoft Windows platforms. The program "supports all basic FTP commands,
and much more, such as passive mode, resuming file transfers, windows shortcuts
to another files, folders and drives (including network drives), virtual domains
(multiple IP homes), IP filtering, site specific commands, such as compressing
and copying files on the server, changing date/time stamps, and so on." It
is fairly simple to use and configure and subsequently does not take much
time to get up and running.
Issues: 1. Versions prior to 1.4.2.1 will disclose whether or not a supplied
username is valid or not. A login name supplied with the USER command will
not be accepted unless it is valid. If the username is invalid it will
return a message similar to:
530 User NAME_HERE does not exist
otherwise it will accept the username and ask for the password.
Version 1.4.2.1 and beyond have fixed this problem and will ask for a password
regardless of whether or not the username actually exists. The vendor was
quick to fix this and released a new version relatively shortly after the issue
was reported.
2. However, another issue is still at large with ArGOSoft's FTP
Server. This issue exists in the current version (1.4.2.4) and in previous
versions. ArGoSoft FTP Server does not have a limit to the number of tries
that can be entered for a username/password combination before it terminates the
connection. It will allow and unlimited number of login attempts.
This issue in conjunction with the previously mentioned one would not only allow
for brute force password cracking of a known username, but for a quick brute
force attack to find valid usernames. It might also be worth mentioning that
there also does not appear to be any type of login timeout for the login
process. This issue was also reported to the vendor at the same time as
username problem.
Solutions: Upgrade to the latest version at the ArGoSoft website. As for the
brute force issue, perhaps that will be fixed in the future. Just make
your passwords difficult, keep your login name(s) secure, and turn on logging +
monitor it.
Credits: My recent free time -- which has enabled me to type all of this up.
HAPPY NEW YEAR!
Also: Go Virginia Tech, let's beat Auburn in the Sugar Bowl :)
|
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
