CVE-2005-1094 in ftp now
Summary
by MITRE
ftp now 2.6.14 stores usernames and passwords in plaintext in sites.xml which is world-readable which allows local users to gain privileges.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2021
The vulnerability described in CVE-2005-1094 represents a critical security flaw in the ftp now 2.6.14 software that exposes authentication credentials through improper file permissions. This issue affects the ftp now application which is a command-line file transfer utility that allows users to connect to ftp servers and manage files remotely. The vulnerability stems from the application's failure to implement proper access controls when storing authentication information in the sites.xml configuration file. This file contains sensitive credential data including usernames and passwords that are stored in plaintext format rather than being encrypted or obfuscated, creating a significant security risk for systems running this version of the software.
The technical implementation of this vulnerability involves the application's handling of user authentication data during ftp site connections. When users configure ftp connections through the ftp now utility, the application creates a sites.xml file that persists these credentials for future use. The flaw occurs because this configuration file is created with world-readable permissions, meaning any local user on the system can access its contents without authentication. The plaintext storage of credentials violates fundamental security principles and creates an attack surface where unauthorized local users can extract sensitive information through simple file read operations. This type of vulnerability aligns with CWE-312, which addresses the exposure of sensitive information through improper data handling, and represents a classic case of insecure credential storage that can lead to privilege escalation attacks.
The operational impact of this vulnerability extends beyond simple credential theft to encompass potential privilege escalation and system compromise scenarios. Local users who can read the sites.xml file gain access to authentication credentials for multiple ftp servers, potentially allowing them to access sensitive corporate or personal data stored on remote systems. The vulnerability is particularly dangerous in multi-user environments where different users share the same system or where system administrators may have configured ftp now with elevated privileges. Attackers can leverage this information to establish persistent access to remote systems, conduct reconnaissance activities, or move laterally within network environments. The attack pattern follows typical privilege escalation techniques outlined in the MITRE ATT&CK framework under T1068, which covers local privilege escalation through credential access and T1566, which covers credential access through insecure file storage.
Mitigation strategies for this vulnerability require immediate implementation of proper file permission controls and credential management practices. System administrators should immediately change the file permissions of sites.xml to restrict access to the owning user only, typically using chmod 600 or equivalent commands. The application should be updated to the latest available version where this vulnerability has been addressed through proper credential encryption or secure storage mechanisms. Additionally, organizations should implement regular security audits to identify and remediate similar vulnerabilities in other applications that store sensitive information. The remediation process should include configuration reviews to ensure that no other files containing authentication credentials are stored with insecure permissions. Security best practices recommend implementing centralized credential management solutions such as password managers or secure vaults that can store authentication information with appropriate access controls and encryption, thereby eliminating the risk of plaintext credential exposure in configuration files.