RhinoSoft FTP Serv-U Remote Administration Client Discloses Administrator Passwords When Using S/KEY One-Time Passwords
SecurityTracker Alert ID: 1002882|
SecurityTracker URL: http://securitytracker.com/id/1002882
(Links to External Site)
Updated: May 22 2009|
Original Entry Date: Dec 1 2001
Disclosure of authentication information|
Exploit Included: Yes |
CERT reported a vulnerability in the RhinoSoft Serv-U remote administration client. When using S/KEY one-time passwords, the client discloses the user's plain text password.|
CERT reports that, during the authentication process, the client ignores the S/KEY one-time password (OTP) challenge sent by the server and sends the password entered by the user in plaintext. This causes authentication to fail.
The vendor has reportedly been notified.
A remote user with a network sniffer that is located between the user and the server can determine administrator passwords when S/KEY is used.|
No solution was available at the time of this entry.|
Vendor URL: www.Serv-U.com/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: RhinoSoft Serv-U remote administration client transmits password in|
Vulnerability Note VU#279763
RhinoSoft Serv-U remote administration client transmits password in
A vulnerability exists in the remote administration client for RhinoSoft
Serv-U. During the authentication process, the client ignores the S/KEY
one-time password (OTP) challenge sent by the server and sends the
password entered by the user in plaintext.
RhinoSoft Serv-U is a shareware Windows FTP server that supports S/KEY
one-time password (OTP) authentication using MD4 or MD5 hash algorithms.
Cat Soft LLC is also involved in the development of Serv-U and is an
affiliate of RhinoSoft. The Serv-U distribution includes an
administration client that can be used to manage Serv-U servers
remotely. Serv-U user accounts can be configured to use plaintext or
S/KEY OTP authentication, and accounts can be granted several levels of
administrative privilege on the server. When a user with administrative
privileges attempts to log on to a Serv-U server using the remote
administration client, and that user's account is configured on the
server to use S/KEY OTP authentication, the server correctly sends an
S/KEY OTP challenge, but the administration client ignores the challenge
and sends the password entered by the user in plaintext. The server
refuses the plaintext password and authentication fails, and the
plaintext password is exposed on the network.
See RFC 1760 and RFC 2289 for more information on S/KEY and one-time
password (OTP) authentication.
A properly located intruder using a sniffer can obtain administrative
users' passwords. In addition, an administrative user account configured
to use S/KEY OTP cannot log into a Serv-U server using a vulnerable
remote administration client.
The CERT/CC is currently unaware of a practical solution to this
It may be possible to use other forms of encryption, such as a VPN, SSH
or IPSEC, to secure a remote administration connection to a Serv-U
The CERT Coordination Center thanks Fred Maxwell for reporting this
This document was written by Art Manion.
Date First Published
11/19/2001 05:21:47 PM
Date Last Updated