Telhack 026 Inc. Security Advisory - #4
_________________________________________

Name: Blackmoon FTP Server 2.6 Free Edition
Impact: Medium
Date: May 21 / 2003
_________________________________________

Daniel Nystr=F6m a.k.a. excE <exce@netwinder.nu>



_I N F O_

BlackMoon FTP Server is an FTP daemon written specifically for Windows
2000/XP and above. It takes advantage of all the new features in the
mentioned oses like io completion ports, thread pooling, running as a
system services, using built-in SSL certificate stores, authenticating
against an Active Directory or remote NTLM, accessing network shares,
impersonating an NT user and more. More at: www.blackmoonftpserver.com

The Non-free editions has not been tested.



_P R O B L E M_

There are two problems with this software.

* User/Password data is stored in plaintext
* Easy to enumerate usernames.



_I M P A C T_

Users with physicall access can steal the database and extract user/pass =
pairs from it.
Malicious remote users can detect valid usernames on the FTP server.



_E X P L O I T I N G_

The plaintext Usernames/Passwords are stored in the file blackmoon.mdb =
in the=20
Blackmoon FTP directory. To extract them use standard Windows software =
such=20
as MS Access or MS Excel.

To find out valid usernames/passwords you just look at the server =
responses.

Valid username with invalid password:=20
530-Login incorrect. Name[ValidUser] Pass[NotValidPass]

Invalid username with invalid password:
530-Account does not exist. Name[NotValidUser]

A tool for enumerating users in a bruteforce manner will be available on =
www.telhack.tk next week.


Daniel Nystr=F6m, excE
----------------------------------
exce@netwinder.nu
http://www.telhack.tk
http://exce.ath.cx