Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] ArGoSoft FTP Server reveals valid usernames and allows

from [Steven] Network Security [Permanent Link]
Subject: [Full-Disclosure] ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks
Date: Fri, 31 Dec 2004 04:41:10 -0500 
Vendor:   ArGoSoft
Date:     December 31, 2004
Issue:    ArGoSoft FTP Server reveals valid usernames and allows for brute 
force attacks
URL:      http://www.argosoft.com/ftpserver/
Advisory: http://www.lovebug.org/argosoft_advisory.txt

Program Overview:

ArGoSoft FTP Server is a lightweight FTP Server for Microsoft Windows 
platforms.  The program "supports all basic FTP commands, and much more, such 
as passive mode, resuming file transfers, windows shortcuts to another files, 
folders and drives (including network drives), virtual domains (multiple IP 
homes), IP filtering, site specific commands, such as compressing and copying 
files on the server, changing date/time stamps, and so on."  It is fairly 
simple to use  and configure and subsequently does not take much time to get up 
and running.


Issues:

1. Versions prior to 1.4.2.1 will disclose whether or not a supplied username 
is valid or not.  A login name supplied with the USER command will not be 
accepted unless it is valid.  If the username is invalid it will return a 
message similar to:

530 User NAME_HERE does not exist

otherwise it will accept the username and ask for the password.  Version 
1.4.2.1 and beyond have fixed this problem and will ask for a password 
regardless of whether or not the username actually exists.  The vendor was 
quick to fix this and released a new version relatively shortly after the issue 
was reported.

2. However, another issue is still at large with ArGOSoft's FTP Server.  This 
issue exists in the current version (1.4.2.4) and in previous versions.  
ArGoSoft FTP Server does not have a limit to the number of tries that can be 
entered for a username/password combination before it terminates the 
connection.  It will allow and unlimited number of login attempts.  This issue 
in conjunction with the previously mentioned one would not only allow for brute 
force password cracking of a known username, but for a quick brute force attack 
to find valid usernames. It might also be worth mentioning that there also does 
not appear to be any type of login timeout for the login process.  This issue 
was also reported to the vendor at the same time as username problem.


Solutions:

Upgrade to the latest version at the ArGoSoft website.  As for the brute force 
issue, perhaps that will be fixed in the future.  Just make your passwords 
difficult, keep your login name(s) secure, and turn on logging + monitor it.


Credits:

My recent free time -- which has enabled me to type all of this up.  HAPPY NEW 
YEAR!

Also: Go Virginia Tech, let's beat Auburn in the Sugar Bowl :)

-Steven
steven@lovebug.org
www.lovebug.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks, Steven <=
Next by Date:  [Full-Disclosure] AOL's Online Password Reset feature does not fully validate user information, Steven
Next by Thread:  [Full-Disclosure] AOL's Online Password Reset feature does not fully validate user information, Steven
Indexes:  [Date] [Thread] [Top] [All Lists]