Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   Serv-U FTP Server Vendors:   Serv-U
RhinoSoft FTP Serv-U Remote Administration Client Discloses Administrator Passwords When Using S/KEY One-Time Passwords
SecurityTracker Alert ID:  1002882
SecurityTracker URL:
CVE Reference:   CVE-2001-1463   (Links to External Site)
Updated:  May 22 2009
Original Entry Date:  Dec 1 2001
Impact:   Disclosure of authentication information
Exploit Included:  Yes  

Description:   CERT reported a vulnerability in the RhinoSoft Serv-U remote administration client. When using S/KEY one-time passwords, the client discloses the user's plain text password.

CERT reports that, during the authentication process, the client ignores the S/KEY one-time password (OTP) challenge sent by the server and sends the password entered by the user in plaintext. This causes authentication to fail.

The vendor has reportedly been notified.

Impact:   A remote user with a network sniffer that is located between the user and the server can determine administrator passwords when S/KEY is used.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  RhinoSoft Serv-U remote administration client transmits password in

Vulnerability Note VU#279763

RhinoSoft Serv-U remote administration client transmits password in


A vulnerability exists in the remote administration client for RhinoSoft
Serv-U. During the authentication process, the client ignores the S/KEY
one-time password (OTP) challenge sent by the server and sends the
password entered by the user in plaintext. 

I. Description

RhinoSoft Serv-U is a shareware Windows FTP server that supports S/KEY
one-time password (OTP) authentication using MD4 or MD5 hash algorithms.
Cat Soft LLC is also involved in the development of Serv-U and is an
affiliate of RhinoSoft. The Serv-U distribution includes an
administration client that can be used to manage Serv-U servers
remotely. Serv-U user accounts can be configured to use plaintext or
S/KEY OTP authentication, and accounts can be granted several levels of
administrative privilege on the server. When a user with administrative
privileges attempts to log on to a Serv-U server using the remote
administration client, and that user's account is configured on the
server to use S/KEY OTP authentication, the server correctly sends an
S/KEY OTP challenge, but the administration client ignores the challenge
and sends the password entered by the user in plaintext. The server
refuses the plaintext password and authentication fails, and the
plaintext password is exposed on the network. 

See RFC 1760 and RFC 2289 for more information on S/KEY and one-time
password (OTP) authentication. 

II. Impact

A properly located intruder using a sniffer can obtain administrative
users' passwords. In addition, an administrative user account configured
to use S/KEY OTP cannot log into a Serv-U server using a vulnerable
remote administration client. 

III. Solution

The CERT/CC is currently unaware of a practical solution to this

IIIb. Workarounds

It may be possible to use other forms of encryption, such as a VPN, SSH
or IPSEC, to secure a remote administration connection to a Serv-U

Systems Affected

 Date Updated



The CERT Coordination Center thanks Fred Maxwell for reporting this

This document was written by Art Manion. 

Other Information

       Date Public
 Date First Published
11/19/2001 05:21:47 PM
 Date Last Updated
    CERT Advisory
       CVE Name
 Document Revision


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC