Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Filezilla's silent caching of user's credentials
From: Ryan Sears <rdsears () mtu edu>
Date: Wed, 13 Oct 2010 18:49:59 -0400 (EDT)

What do you mean by that? There have been a *lot* of good points made through this whole thing, both on the list, and 
in the forums. 

This is a multi-tiered issue, both in the fact that it stores your credentials, and the fact that it does so in a very 
insecure manner. 

As with any program there are scenarios in which you're forced to log into secured resources in a 'less-than-secure' 
way. Maybe someone is middling your connection? Maybe someone has a metasploit dll agent hiding in your filezilla.exe 
process sniffing for keystrokes? It happens, thanks to windows' plethora of 'features'. 

However with the right measures it can be tougher to leverage. Everything is psudo security by obscurity in one way or 
another when you think about it. Imagine encryption as a needle in a haystack, but instead of a needle you're looking 
for a single atom, and instead of a haystack you're looking at every single atom on the face of the planet (please 
correct me if I'm mistaken in this point. I am by no means a crypto expert). 

The only way to be really secure is run FreeBSD on a computer not plugged into any network and uses absolutely nothing 
external (usb drives, etc). Then it becomes a trade-off in usefulness. Also what happens when someone discovers a 0-day 
in BSD?

Security is a constant up-hill battle, which is why I find it so interesting. Very smart people are *always* coming up 
with more creative ways to manipulate systems of *any* kind. All you can do is learn as much as you can about how 
they're doing it, and come up with any mitigations you can. 

Ryan


----- Original Message -----
From: "Chris Evans" <scarybeasts () gmail com>
To: "Mutiny" <mutiny () kevinbeardsucks com>
Cc: full-disclosure () lists grok org uk
Sent: Wednesday, October 13, 2010 6:32:14 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Full-disclosure] Filezilla's silent caching of user's credentials


Finally, a note of sanity in this thread. 


On Tue, Oct 12, 2010 at 8:33 PM, Mutiny < mutiny () kevinbeardsucks com > wrote: 


The issue is that someone gained access to that file. You sharing your 
drives over the internet with read privileges? You have other 
vulnerable software being leveraged to read that file? Would you prefer 
they MD5'd it? It sounds like your issue is that your password is 
stored. I mean, they moved your encrypted password from passwd to 
shadow for a reason, but that doesn't change the fact that it's stored 
and if someone doesn't need access to shadow or passwd, they shouldn't 
have it. 

Stop logging into your FTP server from a public terminal with Filezilla. 



On 10/9/2010 11:00 AM, Vipul Agarwal wrote: 



That's a live and good example. I hope that now they'll understand the 
importance of the issue. 

On Fri, Oct 8, 2010 at 11:28 AM, Shirish Padalkar 
< shirish.padalkar () tcs com >wrote: 



http://www.google.com/#sclient=psy&hl=en&site=&source=hp&q=inurl:recentservers.xml&oq=inurl:recentservers.xml 

:) 


From: 
Ryan Sears < rdsears () mtu edu > 
To: 
full-disclosure < full-disclosure () lists grok org uk > 
Date: 10/08/2010 08:52 AM Subject: 
[Full-disclosure] Filezilla's silent caching of user's credentials 
Sent by: full-disclosure-bounces () lists grok org uk 
------------------------------ 



Hi all, 

As some of you may or may not be aware, the popular (and IMHO one of the 
best) FTP/SCP program Filezilla caches your credentials for every host you 
connect to, without either warning or ability to change this without editing 
an XML file. There have been quite a few bug and features requests filed, 
and they all get closed or rejected within a week or so. I also posted 
something in the developer forum inquiring about this, and received this 
response: 

"I do not see any harm in storing credentials as long as the rest of your 
system is properly secure as it should be." 

Source:( http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932 ) 

To me this is not only concerning, but also completely un-acceptable. The 
passwords all get stored in PLAIN TEXT within your %appdata% directory in an 
XML file. This is particularly dangerous in multi-user environments with 
local profiles, because as we all know physical access to a computer means 
it's elementary at best to acquire information off it. Permissions only work 
if your operating system chooses to respect them, not to mention how simple 
it is *even today* to maliciously get around windows networks using 
pass-the-hash along with network token manipulation techniques. 

There has even been a bug filed that draws out great ways to psudo-mitigate 
this using built-in windows API calls, but it doesn't seem to really be 
going anywhere. This really concerns me because a number of my coworkers and 
friends were un-aware of this behavior, and I didn't even know about it 
until I'd been using it for a year or so. All I really want to see is at the 
very least just some warning that Filezilla does this. 

Filezilla bug report:( http://trac.filezilla-project.org/ticket/5530 ) 

My feelings have been said a lot more eloquently than I could ever hope to 
in that bug report: 

"Whoever keeps closing this issue and/or dismissing its importance 
understands neither security nor logical argument. I apologize for the slam, 
but it is undeniably true. Making the same mistake over and over does not 
make it any less of a mistake. The fact that a critical deficiency has 
existed for years does not make it any less critical a deficiency. 
Similarly, the fact that there are others (pidgin) who indulge in the same 
faulty reasoning does not make the reasoning any more sound." ~btrower 

While it's true you can mitigate this behavior, why should it even be 
enabled by default? The total lapse in security for such a feature-rich, 
robust piece of software is quite disturbing, and I don't understand how the 
developers don't think this is an issue. 

I just wanted to gauge the FD community on this issue, because with enough 
backing and explanation from the security community as to why this is a 
problem, this issue may finally be resolved (it's been doing this for years 
now). 

Regards, 
Ryan Sears 

_______________________________________________ 
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/ 


=====-----=====-----===== 
Notice: The information contained in this e-mail 
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you 



_______________________________________________ 
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/ 






_______________________________________________ 
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/ 

_______________________________________________ 
Full-Disclosure - We believe in it. 
Charter: http://lists.grok.org.uk/full-disclosure-charter.html 
Hosted and sponsored by Secunia - http://secunia.com/ 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault