SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Total Commander Vendors:   Ghisler, Christian
Total Commander Weak Encryption Algorithm Lets Local Users Obtain FTP Passwords
SecurityTracker Alert ID:  1015311
SecurityTracker URL:  http://securitytracker.com/id/1015311
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 6 2005
Impact:   Disclosure of authentication information

Version(s): 6.53
Description:   Juha-Matti Laurio reported a vulnerability in Total Commander. A local user can obtain password information.

The Total Commander file manager/FTP client utility uses a weak encryption algorithm to store internal FTP account information in the 'WCX_FTP.INI' file. A local user can obtain FTP username and password information.

The W32.Gudeb worm reportedly exploits this vulnerability to gather FTP usernames and passwords.

The vendor was notified on December 3, 2005.

The advisory is available at:

http://www.networksecurity.fi/advisories/total-commander.html

Impact:   A local user can obtain FTP usernames and passwords.
Solution:   No solution was available at the time of this entry.

As a workaround, the user can choose to not save FTP connections.

Vendor URL:  www.ghisler.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Total Commander WCX_FTP.INI Weak FTP Account Information Encryption

Description:
Total Commander file manager/FTP client utility is confirmed as affected to weak 
account information encryption vulnerability. The vulnerability is caused due to weak 
encryption algorithm used when internal FTP account information is saved to the
configuration file WCX_FTP.INI. Both username and password are saved to the file
located at directory from %System% variable.

This is reportedly being exploited by a new W32.Gudeb worm. W32.Gudeb spreads via FTP 
and gathers valid accounts from Total Commander configuration file. This malware 
searches for the file %System%\WCX_FTP.INI and gathers valid username and password 
details. If this operation is successful, it will reportedly upload a copy of itself 
to the newly compromised computers.

Example (C:\WINNT\wcx_ftp.ini etc.):
---clip---
[OldConnections]
0=ftp.removed.com
[connections]
1=Homepage
[Homepage]
host=ftp.removed.com
username=www.removed.fi
password=CF6ECD90B708F354B2CF41AAA833 (*)
directory=/pictures
---clip---

*) the content of the password field changed due to security/privacy reasons

> From the vendor:

"Total Commander is a file manager for Windows, a program like Windows Explorer to 
copy, move or delete files. However, Total Commander can do much more than Explorer, 
e.g. pack and unpack files, access ftp servers, compare files by content, etc!"

This product was earlier known as Windows Commander.

Affected versions:
The vulnerability has been confirmed in version 6.53 for Windows. Other previous 
versions may also be affected.
Exact TOTALCMD.EXE version: 6.5.3.0

Software:
Total Commander 6.x

OS:
Microsoft Windows 2000 Professional SP4 fully patched tested

Vendor:
C. Ghisler & Co.
http://www.ghisler.com/

Product Home Page:
http://www.ghisler.com/
Author: Christian Ghisler

Vendor was contacted on 3rd December, 2005.

Solution status:
No updated version available from the vendor at the time of reporting.

Workaround:
Do not save FTP connections.

References:
http://securityresponse.symantec.com/avcenter/venc/data/w32.gudeb.html

CVE information: N/A

Credit information:
This vulnerability is researched by Juha-Matti Laurio, Networksecurity.fi

Timeline:
02-Dec-2005 - Vulnerability researched and confirmed
03-Dec-2005 - Detailed research, new FTP hosts tested
03-Dec-2005 - Vendor contacted, workaround delivered to the vendor
03-Dec-2005 - Security companies and several CERT units contacted

Reference URL is coming in a separate message.


Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC