FTPx FTP Explorer Weak Password Encryption Vulnerability
FTP Explorer includes the option to store profiles of visited FTP sites. The user's name and password can also be stored. These stored values are kept in the registry, under the key HKCU\Software\FTP Explorer\Profiles\ProfileName\ . The password is encrypted, but the encryption mechanism is weak and can easily be broken.
Each character in the password is incremented by 9, then incremented by (3(n - 1)), n being the characters position in the password. Therefore, a password of AAA (A=41) would be stored as:
[A+9+3(1-1)] [A+9+3(2-1)] [A+9+3(3-1)], or 4A4D50.
*NOTE* This algorithm does not seem to apply for characters outside the range 0x20 - 0x7F. However, it is still possible to make a character based function f(x) such that the algorithm encrypts xyz as [f(x)+3(1-1)] [f(y)+3(2-1)] [f(z)+3(3-1)]. It is trivial to construct such a function for all 256 possible character values with a dictionary approach.