Title: Total Commander WCX_FTP.INI weak FTP account information encryption vulnerability
Criticality: Medium (2/3)
Affected software: Total Commander versions 6.53 and prior
Type: Remote vulnerability
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 5th December, 2005
Advisory ID: Networksecurity.fi Security Advisory (05-12-2005) (#12)
Location URL: http://www.networksecurity.fi/advisories/total-commander.html
CVE references: CVE-2005-4066
CVSS Severity: 2.3 (Low)
- Description:
Total Commander file manager Explorer replacement/FTP client utility is confirmed as affected to weak account information encryption vulnerability. The vulnerability is caused due to weak encryption algorithm used when internal FTP account information is saved to the configuration file WCX_FTP.INI. Both username and password are saved to the file located at directory readed from %System% variable (referring to the System folder).
This is reportedly being exploited by a new W32.Gudeb worm, aka Gudeb. W32.Gudeb spreads via FTP and gathers valid accounts from Total Commander configuration file. This malware searches for the file %System%\WCX_FTP.INI and gathers valid username and password details. If this operation is successful, it will reportedly upload a copy of itself to the newly compromised computers.
- Detailed description:
Sample content of configuration file (C:\WINNT\wcx_ftp.ini etc.):
---clip---
[OldConnections]
0=ftp.removed.com
[connections]
1=Homepage
[Homepage]
host=ftp.removed.com
username=www.removed.fi
password=CF6ECD90B708F354B2CF41AAA833 (*)
directory=/pictures
---clip---
*) the content of the password field changed due to security/privacy reasons
The location of the configuration file is publicly known and documented. The FTP account information of previously used FTP connections is located in the configuration file as well, although the utility is not actively being used.
The account information storing process was done in a way which enables malware infection and spreading process. Additionally, several 3rd-party utilities are publicly available to easily and remarkable quickly decrypt FTP account credentials from WCX_FTP.INI.
According to the research the password entry in WCX_FTP.INI is disguised only, not encrypted at all.
From the vendor:
"Total Commander is a file manager for Windows, a program like Windows Explorer to copy, move or delete files. However, Total Commander can do much more than Explorer, e.g. pack and unpack files, access ftp servers, compare files by content, etc!"
This product was earlier known as Windows Commander.
- Affected versions:
The vulnerability has been confirmed in version 6.53 for Windows. Other previous versions may also be affected.
Exact TOTALCMD.EXE version: 6.5.3.0
Software:
Total Commander 6.x
- OS:
Microsoft Windows: "Windows 95 or higher, including Windows 98, 2000, NT, ME, and XP"
Tests was done with Microsoft Windows XP Professional SP2 and Microsoft Windows 2000 Professional SP4 fully patched.
Vendor and vendor Home Page:
C. Ghisler & Co.
www.ghisler.com
Product Home Page:
www.ghisler.com
Author: Christian Ghisler
Vendor was contacted on 3rd December, 2005.
Solution status:
No updated version available from the vendor at the time of reporting.
Workarounds:
1. Do not save FTP connections.
2. Uninstall the application and confirm the deleting of WCX_FTP.INI file. Install Total Commander application again and stop using the FTP account saving feature (workaround method #1).
Combining of these methods prevents Gudeb to spread, but doesn't remove the vulnerability itself.
References:
"W32.Gudeb is a worm that lowers security settings and hides folders on the compromised computer":
securityresponse.symantec.com/avcenter/venc/data/w32.gudeb.html
www.securitytracker.com/alerts/2005/Dec/1015311.html
www.frsirt.com/english/advisories/2005/2780
www.osvdb.org/displayvuln.php?osvdb_id=21543
xforce.iss.net/xforce/xfdb/23497
www.addict3d.org/index.php?page=viewarticle&type=security&ID=5478
CVE information:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4066
CVSS Severity level:
2.3 (Low)
Credit information:
This vulnerability is researched by Juha-Matti Laurio, Networksecurity.fi
Timeline:
02-Dec-2005 - Vulnerability researched and confirmed
03-Dec-2005 - Detailed research, new FTP hosts tested
03-Dec-2005 - Vendor contacted, workaround delivered to the vendor
03-Dec-2005 - Security companies and several CERT units contacted
04-Dec-2005 - Vendor's reply
04-Dec-2005 - The second workaround produced by the researcher
05-Dec-2005 - Advisory published
06-Dec-2005 - New workaround delivered to the vendor
06-Dec-2005 - Link to the published advisory sent to security companies and several CERT units
Revision history:
05-12-2005 1.0: Advisory published
06-12-2005 1.1: Updated advisory and added information about disguising of FTP password
07-12-2005 1.2: Updated advisory by adding new CVE and references
08-12-2005 1.3: Updated advisory by adding new CVSS (Common Vulnerability Scoring System) severity level
08-01-2006 1.4: Added X-Force reference
Local Finnish time is used.
Best regards,
Juha-Matti Laurio
security researcher
Finland
Copyright © Networksecurity.fi and Juha-Matti Laurio 2005
- To the Main Page
Read more about 50 other security vulnerabilities at
www.networksecurity.fi