[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Law11-OE34aEtnhM8LX00013dc3@hotmail.com>
Date: Tue, 3 Jun 2003 10:33:20 -0700
From: "morning_wood" <se_cur_ity@...mail.com>
To: "IRCXpro Support" <support@...xpro.com>,
"Darren Reed" <avalon@...igula.anu.edu.au>
Cc: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>
Subject: Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords
Scenario of a remote compromise via IRCXpro cleartext passwords.
System: NT / Win2k
Small Lan Toploogy
System A. = webserver
System B = ircd
System A is connected to net running bigsite.com
System A is compromized with a lowlevel password / user alowing file read
access
Attacker uses lan to read cleartext passwords in settings.ini
ALL ACCOUNTS NOW COMPROMIZED.
need there be more?
as an addendun
If you previously used IRCXplus ( little brother ) old passwords are stored
at
HKEY_USERS\*\Software\VB and VBA Program Settings\IRCplus\Remote
there is no excuse for a plaintext passsword in an .ini file period. Any
computer with multiple users is vunerable to password discovery and
disclosure. hint - hash yer pass
Donnie Werner
http://exploitlabs.com
----- Original Message -----
From: "IRCXpro Support" <support@...xpro.com>
To: "Darren Reed" <avalon@...igula.anu.edu.au>
Cc: "morning_wood" <se_cur_ity@...mail.com>; <bugtraq@...urityfocus.com>;
<full-disclosure@...ts.netsys.com>
Sent: Tuesday, June 03, 2003 8:31 AM
Subject: Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default
remote admin passwords
> Reply to Feedback from Darren:
>
> > Firstly, there has been support for storing passwords, encrypted, in
> > configuration files on Unix for over 10 years, if not longer. I can
>
> The reason why IRC servers "IRCD.config" files don't use encryption (see
> file attachment for example) is because 49 times out of 50 they do not
come
> with a GUI program. Administrators main method of changing the
> configuration is to manually edit the file using a notepad utility.
>
> > at leisure. Windows, Linux, it does not matter, there are security
> > threats to all environments that when exploited given outsiders some
> > sort of "local access".
>
> Then in this case this would be an operating system vulnerability.
>
> Overuse in the use of encrypted passwords can be counter productive to
> functionality.
> There are good reasons to keep passwords clear text passwords to better
> interface with other software.
> For example Merak Mail server software
> (http://www.icewarp.com/Products/Merak_Email_Server_Software/)
> When using this mail server, it can store the accounts on an SQL Server.
> The passwords are stored clear text. This enables other software to
> interface with its data to create and sync its accounts/passwords with
other
> systems.
>
> However we will give the issue raised due attention in our next version
> release and appreciate everybody's efforts & feedback to further improving
> our product.
>
> Regards,
> IRCXpro Support
>
>
>
> ----- Original Message -----
> From: "Darren Reed" <avalon@...igula.anu.edu.au>
> To: "IRCXpro Support" <support@...xpro.com>
> Cc: "morning_wood" <se_cur_ity@...mail.com>; <bugtraq@...urityfocus.com>;
> <full-disclosure@...ts.netsys.com>
> Sent: Tuesday, June 03, 2003 3:10 PM
> Subject: Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default
> remote admin passwords
>
>
> > In some mail from IRCXpro Support, sie said:
> > >
> > > Vulnerability(s):
> > > 1. Local clear passwords
> > >
> > > Our Reply: It is common place for all IRC Server applications to store
> clear
> > > passwords in the IRCD.config files. The nature of the program is for
it
> to
> > > be used by Remote Users, NOT local ones.
> >
> > There are a couple of extremely bad comments in these two sentences,
> > let us dwell on it for a moment or two.
> >
> > Firstly, there has been support for storing passwords, encrypted, in
> > configuration files on Unix for over 10 years, if not longer. I can
> > go pull out some source code of that vintage with support for using
> > crypt() to validate passwords if you're in doubt.
> >
> > Now, be that as it may, you've made a somewhat fatal assumption in
> > your justification - that the remote users will never have any other
> > access to the server that would let them browse the configuration
> > at leisure. Windows, Linux, it does not matter, there are security
> > threats to all environments that when exploited given outsiders some
> > sort of "local access".
> >
> > I find it somewhat disturbing to see development of inferior security
> > standards in products based on the supposition that nobody practises
> > good security with the various IRC server passwords.
> >
> > Darren
> >
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists