Telhack 026 Inc. Security Advisory - #4 _________________________________________ Name: Blackmoon FTP Server 2.6 Free Edition Impact: Medium Date: May 21 / 2003 _________________________________________ Daniel Nyström a.k.a. excE <exce@netwinder.nu> _I N F O_ BlackMoon FTP Server is an FTP daemon written specifically for Windows 2000/XP and above. It takes advantage of all the new features in the mentioned oses like io completion ports, thread pooling, running as a system services, using built-in SSL certificate stores, authenticating against an Active Directory or remote NTLM, accessing network shares, impersonating an NT user and more. More at: www.blackmoonftpserver.com The Non-free editions has not been tested. _P R O B L E M_ There are two problems with this software. * User/Password data is stored in plaintext * Easy to enumerate usernames. _I M P A C T_ Users with physicall access can steal the database and extract user/pass pairs from it. Malicious remote users can detect valid usernames on the FTP server. _E X P L O I T I N G_ The plaintext Usernames/Passwords are stored in the file blackmoon.mdb in the Blackmoon FTP directory. To extract them use standard Windows software such as MS Access or MS Excel. To find out valid usernames/passwords you just look at the server responses. Valid username with invalid password: 530-Login incorrect. Name[ValidUser] Pass[NotValidPass] Invalid username with invalid password: 530-Account does not exist. Name[NotValidUser] A tool for enumerating users in a bruteforce manner will be available on www.telhack.tk next week. Daniel Nyström, excE ---------------------------------- exce@netwinder.nu http://www.telhack.tk http://exce.ath.cx
