Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC

[Nick Boyce <nick.boyce () gmail com>]

On 2 Sep 2005 13:59:49 -0000, m123303[ - at - ]richmond.ac.uk wrote:

> Vulnerability summary
> - ---------------------
[...]
> There exists a problem in the way the XOR encryption is implemented
> because the same cipher key is always used. This key is
> hard-coded, which means that anyone can analyze the source code of
> the application and find it. Of course, this wouldn't be
> so easy if FileZilla wasn't an open source application.
[...]

Okay .. so (assuming that's a problem) what do you suggest is done by
the FileZilla folks about this, given that we've already established
ad nauseam that the best you can ever achieve in these circumstances
is to obfuscate the key ?

See http://marc.theaimsgroup.com/?l=bugtraq&m=112500510209243&w=2

> Solution
> - --------
> Choose "Use secure mode" during the installation (this disables
> FileZilla from saving passwords), lockdown your client
> machines where the FileZilla client is installed, 

Well, duh ... I always do this with my FileZilla installations - don't
you ?   I keep precious passwords somewhere else much safer.  That's
/why/ the FileZilla installer warns you about this and suggests you
use secure mode if you're on a multi-user (or otherwise untrustable)
machine.

Keeping passwords in the registry, or an XML file (or indeed anywhere
at all that doesn't in turn require yet another password to access)
can only ever be a convenience-vs-security trade-off.   No matter how
"strongly" you garble the password for storage, if the source code is
available then it won't be long before someone works out how to
ungarble it - and even if the source code is *not* released it won't
slow the Bad Guys down much.

> ... or update to a patched version which fixes this issue (if available).

Um, how can the FileZilla folks patch the problem, without again
releasing the source code of the "new improved" algorithm and/or key ?

Cheers,

Nick Boyce
Bristol, UK