Filezilla FTP proxy stores Windows password in plain text

[jana.vasseru]

No, it does not, as long as the worm uses your user's context.

When an appliocation stores passwords, it should take all steps possible to prevent the passwords from getting away.
If it does not, it should at least provide a dialog where the passwords can be entered when needed by the application.

Kiosk mode 1 of Filezilla does exactly that. The only problem for me is that storing passwords is set as default. You could also use Site Manager with logon type 'Interactive'.

Using kiosk mode does not solve the problem - i was talking about STORING passwords. There were numerous requests for implementing some encryption over the stored password (this applies both to proxy and FTP passwords), all of which are dismised with the argument that "it is operating system responsibility". This is not true - OS can (and will) protect Filezilla settings file against another user, but it can hardly protect it against another SW executed under the same user. Which is exactly the case of mailicious software.

[botg]

Which is exactly the case of mailicious software.

And that same malicious software can just sit and wait till you enter your password manually if you get prompted. So nothing gained.

[jana.vasseru]

And that same malicious software can just sit and wait till you enter your password manually if you get prompted. So nothing gained.

If someone were to write malicious SW to steal FTP passwords, i'm sure he would consider these:
- it is more difficult to write a keylogger then something which reads a text file
- to log a password the SW would need to sit on a machine for hours/days to receive them, reading Filezilla config file leads to fast and easy access to all passwords
- keylogger produces huge ammount of useless data, reading FZ config file gives only wanted data
- keylogger is detectable using AV heuristics (thanks to suspicisous OS calls), reading FZ config is in no way suspicious, thus such malicious software can be detected with only up to date AV definition rules
- by reading FZ config file dozens of FTP passwords can be received at once compared to keylogger which might never catch some (those stored before keylogger was installed)

I see quite a lot of difference here.

[botg]

- it is more difficult to write a keylogger then something which reads a text file

Actually no, keyloggers already exist, very simple code. To read a file you need to know its path in advance. Keylogger = generic, reading files = specific to the known files.

- to log a password the SW would need to sit on a machine for hours/days to receive them, reading Filezilla config file leads to fast and easy access to all passwords

Malware does not need to get fed. If it gets past your good network administrator it's already hand-crafted towards your network so it'll stay for a lot longer as snakeoil scanners won't be able to find it.

- keylogger produces huge ammount of useless data, reading FZ config file gives only wanted data

Assuming you can type 10 letters every second and do that for 24 hours, uncompressed that's just 864KB, compressed it is a tiny fraction of that. And nobody can type that fast. And if it is generic malware, 800KB is far less than transferring every single file on your system. Useless or not is not of your concern, it can be evaluated after the act.

- keylogger is detectable using AV heuristics (thanks to suspicisous OS calls), reading FZ config is in no way suspicious, thus such malicious software can be detected with only up to date AV definition rules

Only the cheap ones. Hand-crafted malware disables your scanners. And for malware that is detected by virus scanners, you do not need scanners for, network administator can simply configure things so that your systems are not vulnerable to that malware in the first place.

- by reading FZ config file dozens of FTP passwords can be received at once compared to keylogger which might never catch some (those stored before keylogger was installed)

I agree with you on that.

[cmesser]

Hi, I'm just new in this forum, but I followed this topic very interested as guest during the last few weeks.
But now I have to ask how the timetable is to implement the feature "ask for proxy password when needed"
The background for that question is, that I'm working in a company with 30000+ Internet users
and we are looking for a new FTP client for accessing internal FTP servers directly as well as external servers over a proxy.
Filezilla fits very well our needs, but storing the proxy password in clear text is a real K.O. criteria.
As in other companies, OS file encryption is prohibited and no solution for us.

Greetings

[botg]

As in other companies, OS file encryption is prohibited and no solution for us.

Why that? It would solve most of your problems.

[cmesser]

Because the data on businesses PCs always belongs to the company and not to the user.
This makes sense if you imagine what happens if the user is not available by an accident,
but the data he encrypted is businesses critical. So encryption without storing a master key
is prohibited. The password is different. Not knowing this doesn't prevent a admin reading the data.
But knowing it will allow someone to log on as someone else and doing bad stuff under this identity.

That's it.

Regards

[jana.vasseru]

- it is more difficult to write a keylogger then something which reads a text file

Actually no, keyloggers already exist, very simple code. To read a file you need to know its path in advance. Keylogger = generic, reading files = specific to the known files.

... snip ...
Only the cheap ones. Hand-crafted malware disables your scanners. And for malware that is detected by virus scanners, you do not need scanners for, network administator can simply configure things so that your systems are not vulnerable to that malware in the first place.

You are trying to proove that every security can be broken. Right. I know that.
I'm trying to say that storing plaintext passwords in a config file is like having a house with no doors to the back garden.
You tell me that is should use FS encryption - which i agree is fine solution concerning the house front door. Howerver it does not help anyhow to secure the back garden door.
Again - there is no such thing as unbreakable security, security is about creating obstacles to the intruder.

Regards,
Jana

[silver_2000]

I love filezilla and filezilla server

use them both

There has been a recent significant significant uptick in webservers servers being exploited and javascript or iframes being inserted in every html file on the server. the culprit is believed to be malware that harvests FTP passwords and sends them to hackers than then run further scripts to infect servers. Filezilla may be a source of the passwords.

The discussion here is great but Im not interested in Fort Knox security - you dont need fort knox to avoid being a target - just like the security on your house or your car - it doesn't have to be impenetrable - it simply has to be better than your neighbor. yes if you lock the door they can break the window BUT in may cases - most cases they DONT they simply keep walking the parking lot looking or an open door.

In this case the bad guys are not going to spend a great deal of time banging on any particular file, client machine or server - they want the EASY scores. The open text passwords are EASY scores. http://blog.trendmicro.com/stolen-ftp-c ... ar-attack/

In this case some security of ANY kind would slow down the exploits that are occurring. Would it be 100% no but it would help. As was discussed a key logger only gets the passwords I used between the time I was infected and the machine was detected and cleaned, not EVERY password ever entered.

The vast majority of Computers are PCs. The VAST majority of them are Home editions. They cant do EFS.

[Cypress]

Again - there is no such thing as unbreakable security, security is about creating obstacles to the intruder.

Even if he did put an "obstacle" in it wouldn't be hard to find out how to reverse it.. he said it probably 1,000+ times all ready, FileZilla is open source.

The only way you will get any effect/semi-effect security is if you implement it yourself... because then you will have a unique way of protection...
If you respond, "Well, I don't know how to do any programmng.." Answer: shit even if you half-ass know dos commands(look them up for a refresher course) simply write a batch file(.bat) to copy any files which can/do contain passwords in them to a random folder(or just take them all), then delete the orignal files from the filezilla folder.. to hell with it.

Here is exactly what I am talking about:
Code from 'blah.bat' I made..

Code: Select all

cd %ProgramFiles%\Yellow Stars
xcopy *.* "%APPDATA%\FileZilla"
del *.* /Q
"%ProgramFiles%\FileZilla FTP Client\filezilla.exe"
cd %APPDATA%\FileZilla
xcopy *.* "C:\Program Files\Yellow Stars\"
del *.* /Q

Now.. How the hell does one implement this simple garbage?
1. Open notepad
2. Copy and paste all the code into notepad
3. File->Save As make_a_random_name.bat (SAVE IT IN A RANDOM LOCATION AND MAKE IT A RANDOM NAME WRITE BOTH DOWN OR REMEMBER THEM YOU WILL NEED THEM)
4. Change the line 'cd %ProgramFiles%\Yellow Stars' to a random directory of your choice(prefered empty/new dir some where)
5. Change the line 'xcopy *.* "C:\Program Files\Yellow Stars\"' to the same directory as in step 4.
6. Right Click FileZilla icon on desktop -> properties
7. Change the 'target' to point at the the batch file you created earlier(thats why I told you to remember it or write it down)
8. Change 'start in' to point at the folder that contains the batch file
9. Double Click FileZilla icon (or right click open)

Here is why/how this is works:
- You are the one randomly hiding the files it is not a 'standard code' in an open source program
- Every time FileZilla is opened and closed the needed files are moved (ONLY IF YOU USE THE ICON YOU EDITED)
- E.T. PHONE HOME!

Additional Technique: The 'RENAME' command can also be used to add in more randomization/hiding.

Of course... there are downfalls to the above mentioned.. no Im not going to say them.
You want more protection create your own cipher functions and implement them... then the malware makers won't have easy access to the your passwords because they won't have a fucking clue how to decipher them.

[botg]

Some recent malware inspects FTP traffic, it doesn't read config files.

[technologist]

So the bottom line is the password is going to stay clear text? I think this is what everyone wants to know. Then we can move on. Thanks.

[wrodz16]

We recently had a security issue, passwords were easily retrieved from these clear text files with a virus and used to inject code on websites...I'm sure we are not alone. We have several layers of protection... but the pc was still infected. It happens... everywhere. We had to scan the pc with 6 different popular virus scanning products before the virus was found.

All this discussion/debate in the forum shouldn't be necessary, once someone pointed out the issue of cleartext passwords, it should have been taken seriously and corrected... defending this as "as designed" or "you got bigger problems if someone got your passwords" is really disturbing for so many reasos.

I, too, want to know if/what Filezilla plans to do.

[silver_2000]

The issue really isnt what the people here can or will do to secure or not store their passwords - this group is likely moire technical than the average Joe and less likely to be exploited

The issue is the popularity of Filezilla and the number of my customers on my server that are running it. Yes I can turn on SFTP - but that doesnt help if the passwords are being stolen from the xml file. I cant force them all to run a Pro version of windows and encrypt the appdata/filezilla folder. I can ask them to use another product though

People bitch about the security of windows but for years its been better IF the updates are applied on time. Eventually Microsoft built in auto updates and then later turned auto updates on by default. None of which would have been needed if the users kept things secure on their own. The reality is that they dont so MS made is MUCH easier by automating it.
Not a great analogy but .....

[jdratlif]

I don't know why this thread is constantly revived. botg has made his position quite clear.

BTW: Anyone seen this? I thought it was interesting. http://it.slashdot.org/story/09/07/13/142210/RIP-FTP