<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML DIR=ltr><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"></HEAD><BODY>
<DIV><FONT face='Arial' color=#000000 size=2>Title:
FileZilla (client) public credentials vulnerability<BR>Risk:
Medium<BR>Versions
affected: <=2.2.15<BR>Credits: pagvac (Adrian Pastor)<BR>Date
found: 10th September, 2005<BR>Homepage: <A
href="http://www.ikwt.com">www.ikwt.com</A> <A
href="http://www.adrianpv.com">www.adrianpv.com</A><BR>E-mail: m123303
[ - a t - ] richmond.ac.uk</FONT></DIV><FONT face=Arial color=#000000 size=2>
<DIV><BR>Background<BR>----------<BR>FileZilla client is an open source Windows
FTP/SFTP client.</DIV>
<DIV><BR>Vulnerability Description<BR>-------------------------<BR>FileZilla
client stores all users' credentials (including passwords) <BR>in a globally
public directory under Windows which allows all users <BR>with local access
(including restricted users) to dump the credentials <BR>of all users and
decrypt their passwords.</DIV>
<DIV> </DIV>
<DIV>The directory is %programfiles%\FileZilla\</DIV>
<DIV>where %programfiles% is usually "C:\program files".</DIV>
<DIV> </DIV>
<DIV>The default Windows ACLs grants *read* access to %programfiles% to all
<BR>users. This means that even restricted accounts can dump any user
<BR>credentials (including the administrators' credentials) from
"FileZilla.xml"</DIV>
<DIV> </DIV>
<DIV>This would *not* be possible if the developers had programmed the FileZilla
<BR>client to save the config file under %homepath% which would be
<BR>"C:\Documents and Settings\username\FileZilla.xml" by default.</DIV>
<DIV> </DIV>
<DIV>The advantage of the %homepath% directory is that, by default, only its
owner <BR>and users within the "administrators" group have read access (rather
than all <BR>users).</DIV>
<DIV><BR>Disclaimer<BR>----------<BR>If I get a response from the project
developers arguing that the previous <BR>security flaw is not a vulnerability
but rather a feature, I will simply <BR>*not* answer. </DIV>
<DIV> </DIV>
<DIV>No offence, but I'm not willing to waste my time with the common "insecure
<BR>by design" debate. In my humble opinion applications should *never* store
<BR>user credentials in locations in the file system that are readable by
all<BR>users (unless you want all users to steal your passwords).</DIV>
<DIV><BR>PoC<BR>---<BR>I coded a small tool which dumps all users' credentials
from <BR>"FileZilla.xml" and the registry and decrypts all passwords
found.</DIV>
<DIV> </DIV>
<DIV>In order to exploit this vulnerability the credentials need to be <BR>saved
in "FileZilla.xml" (rather than the registry). Luckily, the XML </DIV>
<DIV>file is the default location used to save the credentials :-)</DIV>
<DIV> </DIV>
<DIV>In case the credentials were stored in the registry, then you would
<BR>need to run this tool as the user you want to dump the credentials
from<BR>(this is because the credentials are saved under
"HKEY_CURRENT_USER"<BR>rather than HKEY_LOCAL_MACHINE).</DIV>
<DIV> </DIV>
<DIV>Executable and source code along with Visual Studio project file:</DIV>
<DIV> </DIV>
<DIV><A
href="http://www.ikwt.com/projects/filezilla-pwdump.zip">http://www.ikwt.com/projects/filezilla-pwdump.zip</A><BR><A
href="http://www.adrianpv.com/projects/filezilla-pwdump.zip">http://www.adrianpv.com/projects/filezilla-pwdump.zip</A></DIV>
<DIV> </DIV>
<DIV>I tested this tool in Windows XP SP1 by running it with restricted accounts
<BR>from the "Users" and "Guests" groups and it successfully dumped all
users<BR>credentials (including admins'). </DIV>
<DIV> </DIV>
<DIV>This is possible because the default Windows ACLS of the
%programfiles%<BR>directory grants *read* access to all users. As far as I know
this is<BR>true in Windows 2000 SPX and Windows XP SPX as well (please correct
me<BR>if I'm wrong as I'm *not* a computer security guru).</DIV>
<DIV><BR>Solution<BR>--------<BR>Choose to save user settings in the Windows
registry or select<BR>"Use secure mode" during the installation (this
disables<BR>FileZilla client from saving passwords at all), lockdown your client
<BR>machines where the FileZilla client is installed.</DIV>
<DIV> </DIV>
<DIV>Alternitavely you can try convincing the FileZilla developers to modify
<BR>the application so that each user's credentials are stored in
his/her<BR>home folder.</DIV>
<DIV> </DIV>
<DIV><BR>Regards,</DIV>
<DIV>pagvac (Adrian Pastor)<BR>Earth, SOLAR SYSTEM</FONT></DIV></BODY></HTML>