Title: FileZilla (client) public credentials vulnerability Risk: Medium Versions affected: <=2.2.15 Credits: pagvac (Adrian Pastor) Date found: 10th September, 2005 Homepage: www.ikwt.com www.adrianpv.com E-mail: m123303 [ - a t - ] richmond.ac.uk Background ---------- FileZilla client is an open source Windows FTP/SFTP client. Vulnerability Description ------------------------- FileZilla client stores all users' credentials (including passwords) in a globally public directory under Windows which allows all users with local access (including restricted users) to dump the credentials of all users and decrypt their passwords. The directory is %programfiles%\FileZilla\ where %programfiles% is usually "C:\program files". The default Windows ACLs grants *read* access to %programfiles% to all users. This means that even restricted accounts can dump any user credentials (including the administrators' credentials) from "FileZilla.xml" This would *not* be possible if the developers had programmed the FileZilla client to save the config file under %homepath% which would be "C:\Documents and Settings\username\FileZilla.xml" by default. The advantage of the %homepath% directory is that, by default, only its owner and users within the "administrators" group have read access (rather than all users). Disclaimer ---------- If I get a response from the project developers arguing that the previous security flaw is not a vulnerability but rather a feature, I will simply *not* answer. No offence, but I'm not willing to waste my time with the common "insecure by design" debate. In my humble opinion applications should *never* store user credentials in locations in the file system that are readable by all users (unless you want all users to steal your passwords). PoC --- I coded a small tool which dumps all users' credentials from "FileZilla.xml" and the registry and decrypts all passwords found. In order to exploit this vulnerability the credentials need to be saved in "FileZilla.xml" (rather than the registry). Luckily, the XML file is the default location used to save the credentials :-) In case the credentials were stored in the registry, then you would need to run this tool as the user you want to dump the credentials from (this is because the credentials are saved under "HKEY_CURRENT_USER" rather than HKEY_LOCAL_MACHINE). Executable and source code along with Visual Studio project file: http://www.ikwt.com/projects/filezilla-pwdump.zip http://www.adrianpv.com/projects/filezilla-pwdump.zip I tested this tool in Windows XP SP1 by running it with restricted accounts from the "Users" and "Guests" groups and it successfully dumped all users credentials (including admins'). This is possible because the default Windows ACLS of the %programfiles% directory grants *read* access to all users. As far as I know this is true in Windows 2000 SPX and Windows XP SPX as well (please correct me if I'm wrong as I'm *not* a computer security guru). Solution -------- Choose to save user settings in the Windows registry or select "Use secure mode" during the installation (this disables FileZilla client from saving passwords at all), lockdown your client machines where the FileZilla client is installed. Alternitavely you can try convincing the FileZilla developers to modify the application so that each user's credentials are stored in his/her home folder. Regards, pagvac (Adrian Pastor) Earth, SOLAR SYSTEM