SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Serv-U FTP Server Vendors:   Serv-U
RhinoSoft FTP Serv-U Remote Administration Client Discloses Administrator Passwords When Using S/KEY One-Time Passwords
SecurityTracker Alert ID:  1002882
SecurityTracker URL:  http://securitytracker.com/id/1002882
CVE Reference:   CVE-2001-1463   (Links to External Site)
Updated:  May 22 2009
Original Entry Date:  Dec 1 2001
Impact:   Disclosure of authentication information
Exploit Included:  Yes  

Description:   CERT reported a vulnerability in the RhinoSoft Serv-U remote administration client. When using S/KEY one-time passwords, the client discloses the user's plain text password.

CERT reports that, during the authentication process, the client ignores the S/KEY one-time password (OTP) challenge sent by the server and sends the password entered by the user in plaintext. This causes authentication to fail.

The vendor has reportedly been notified.

Impact:   A remote user with a network sniffer that is located between the user and the server can determine administrator passwords when S/KEY is used.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.Serv-U.com/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  RhinoSoft Serv-U remote administration client transmits password in


Vulnerability Note VU#279763

RhinoSoft Serv-U remote administration client transmits password in
plaintext

Overview

A vulnerability exists in the remote administration client for RhinoSoft
Serv-U. During the authentication process, the client ignores the S/KEY
one-time password (OTP) challenge sent by the server and sends the
password entered by the user in plaintext. 

I. Description

RhinoSoft Serv-U is a shareware Windows FTP server that supports S/KEY
one-time password (OTP) authentication using MD4 or MD5 hash algorithms.
Cat Soft LLC is also involved in the development of Serv-U and is an
affiliate of RhinoSoft. The Serv-U distribution includes an
administration client that can be used to manage Serv-U servers
remotely. Serv-U user accounts can be configured to use plaintext or
S/KEY OTP authentication, and accounts can be granted several levels of
administrative privilege on the server. When a user with administrative
privileges attempts to log on to a Serv-U server using the remote
administration client, and that user's account is configured on the
server to use S/KEY OTP authentication, the server correctly sends an
S/KEY OTP challenge, but the administration client ignores the challenge
and sends the password entered by the user in plaintext. The server
refuses the plaintext password and authentication fails, and the
plaintext password is exposed on the network. 


See RFC 1760 and RFC 2289 for more information on S/KEY and one-time
password (OTP) authentication. 

II. Impact

A properly located intruder using a sniffer can obtain administrative
users' passwords. In addition, an administrative user account configured
to use S/KEY OTP cannot log into a Serv-U server using a vulnerable
remote administration client. 

III. Solution

The CERT/CC is currently unaware of a practical solution to this
problem. 

IIIb. Workarounds

It may be possible to use other forms of encryption, such as a VPN, SSH
or IPSEC, to secure a remote administration connection to a Serv-U
server. 

Systems Affected

 Vendor
         Status
 Date Updated
 RhinoSoft
         Vulnerable
 19-Nov-2001


References


http://www.rhinosoft.com/
http://www.serv-u.com/
http://www.cat-soft.com/ 

Credit

The CERT Coordination Center thanks Fred Maxwell for reporting this
vulnerability. 

This document was written by Art Manion. 

Other Information

       Date Public
11/19/2001
 Date First Published
11/19/2001 05:21:47 PM
 Date Last Updated
11/19/2001
    CERT Advisory
 
       CVE Name
 
           Metric
1.25
 Document Revision
22


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC