[Vuln] Total Commander WCX_FTP.INI FTP Account Information

[Wakko]

Searched the boards, trying to see if anything was being mentioned of this. I am interested to see what needs to be done besides not saving FTP connections to secure this hole.

VR,
Wakko
----------------

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Total Commander WCX_FTP.INI FTP Account Information Weak Encryption
------------------------------------------------------------------------


SUMMARY

" <http://www.ghisler.com/> Total Commander is a file manager for Windows, a program like Windows Explorer to copy, move or delete files. However, Total Commander can do much more than Explorer, e.g. pack and unpack files, access ftp servers, compare files by content, etc"

" <http://securityresponse.symantec.com/avcenter/venc/data/w32.gudeb.html>
W32.Gudeb is a worm that lowers security settings and hides folders on the compromised computer. It spreads via FTP and gathers valid accounts from Total Commander configuration file."

Weak password storage by Total Commander's settings file, allows local attackers and Worms to gain FTP login information and compromise other systems.

DETAILS

Vulnerable Systems:
* Total Commander version 6.53

Total Commander file manager/FTP client utility is confirmed as affected to weak account information encryption vulnerability. The vulnerability is caused due to weak encryption algorithm used when internal FTP account information is saved to the configuration file WCX_FTP.INI. Both username and password are saved to the file located at directory from %System% variable.

This is reportedly being exploited by a new W32.Gudeb worm. W32.Gudeb spreads via FTP and gathers valid accounts from Total Commander configuration file. This malware searches for the file %System%\WCX_FTP.INI and gathers valid username and password details. If this operation is successful, it will reportedly upload a copy of itself to the newly compromised computers.

Example:
C:\WINNT\wcx_ftp.ini:
---clip---
[OldConnections]
0=ftp.removed.com
[connections]
1=Homepage
[Homepage]
host=ftp.removed.com
username=www.removed.fi
password=CF6ECD90B708F354B2CF41AAA833 (*) directory=/pictures
---clip---

*) the content of the password field changed due to security/privacy reasons

Workaround:
Do not save FTP connections.

Disclosure Timeline:
02-Dec-2005 - Vulnerability researched and confirmed
03-Dec-2005 - Detailed research, new FTP hosts tested
03-Dec-2005 - Vendor contacted, workaround delivered to the vendor
03-Dec-2005 - Security companies and several CERT units contacted


ADDITIONAL INFORMATION

The information has been provided by <mailto:juha-matti.laurio@netti.fi>
Juha-Matti Laurio.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

[Lefteous]

http://www.lefteous.de/tc/images/misc/ftp_dialog.png


If there would be strong encryption the worm could work as good as before.

[icfu]

I am interested to see what needs to be done besides not saving FTP connections to secure this hole.

Quite simple actually: Don't let this worm enter your system, this is true for every worm. You can also protect the wcx_ftp.ini yourself with a file encrypter like AxCrypt or the Total Commander AES encryptor plugin.
When you wanna use FTP, you have to temporarily decrypt it.

Icfu

[frenky]

2Lefteous

http://www.lefteous.de/tc/images/misc/ftp_dialog.png

lol

[Sheepdog]

Password: Here you can enter the password for the site. Only enter the password here if your PC is completely secure! It's not a good idea to save the password on computers open to other people! Total Commander will ask you for the password when connecting (if the password isn't given here).

It should be well known that the encryption of the password is weak and that's no good idea to save the password in the ftp-ini file.

To increase the protection a little bit you can start TC with commandline parameter /f=path\to\ftp\ini\file\MyOwn_FTP_ini.file.
Thus it would be not so easy to find the location of the FTP-file. Neverthless it could be found if somene really wants it.

sheepdog

[ghisler(Author)]

Once you have a worm on your PC, the worm can see aynthing your programs can see:
- it can log what you type, and send it to the worm writer, e.g. your passwords
- it can read the paswords stored not only in Total Comander, but also in Internet Explorer, Mozilla etc.
- It can send your key file, your Warcraft account data, your love letters etc. to the worm writer
etc. etc.

There is no secure way to store a password on a PC! Reason: Total Commander has to know the algorithm and password to get to the actuall passwords, so these have to be stored too. The only way would be to ask the user each time for a master password, but the worm could simply use a keylogger to get that too.

So the best you can do is to install a virus scanner and keep it up to date. Also do NOT run ANY programs or other files received via e-mail!

I have followed these simple hints, and I have never had any infection on my PCs for 15 years.