Full Disclosure mailing list archives
RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords
From: Mads Tansø <azmodan () linux online no>
Date: Tue, 3 Jun 2003 18:25:50 +0200
Concerning point 1; It is not usual for irc servers to store clear passwords in the IRCD.config files. Hybrid uses hashed password made with mkpasswd, genesis uses rijndael, nnircd for a sample uses some kinda of hash (based on ircd2 if I dont remember to wrong). Using encrypted passwords are not cause of remote or local users, its just IF the server should get hacked it is not good to let the ircd.conf reveal the passwords. This also goes for linkpasswords. Imho the c/n's should also be a crypted line, but then again, thats my oppinion. :) Az. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of IRCXpro Support Sent: 3. juni 2003 14:53 To: morning_wood; bugtraq () securityfocus com; full-disclosure () lists netsys com Subject: [Full-disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords To whom it concerns, Regarding the vulnerability in the advisory for IRCXpro 1.0 They are of minuscule threat and not worth the attention. Vulnerability(s): 1. Local clear passwords Our Reply: It is common place for all IRC Server applications to store clear passwords in the IRCD.config files. The nature of the program is for it to be used by Remote Users, NOT local ones. 2. Remote default admin enabled Our Reply: The user is prompted before the server starts for the first time to set their own Operator Name and Password during the Initial Wizard for their administrator account. (See initial.gif file attachment) The fragment >> Serv.LogonSettings "LocalHost", 7100, "admin", "password" << is from a sample .ASP page found in the IRCXpro SDK (Software Development Kit). In order for this sample to work, the real operator name and password needs to be inserted before being placed on IIS (Internet Information Services). Regards, IRCXpro Support Quality On Line Ltd ----- Original Message ----- From: "morning_wood" <se_cur_ity () hotmail com> To: <bugtraq () securityfocus com>; <full-disclosure () lists netsys com>; <support () ircxpro com>; <sales () ircxpro com> Sent: Tuesday, June 03, 2003 8:57 AM Subject: IRCXpro 1.0 - Clear local and default remote admin passwords
------------------------------------------------------------------ - EXPL-A-2003-002 exploitlabs.com Advisory 002 ------------------------------------------------------------------ -=- IRCXpro 1.0 -=- Vunerability(s): ---------------- 1.local clear passwords 2.remote default admin enabled Product: -------- IRCXpro Server 1.0 http://www.ircxpro.com Reviews: -------- http://www.serverwatch.com/sreviews/article.php/1501261 http://reviews.zdnet.co.uk/review/41/2/3418.html Description of product: ----------------------- "IRCXpro is a feature rich Internet Relay-Chat (IRC/IRCX) Server that can provide the basis for an interactive online community. Guests will be able to take part in conversation using either an Internet Browser chat client or 3rd party chat software." VUNERABILITY / EXPLOIT ====================== Local: ------ All passwords and user names are inside settings.ini ... in the clear Remote: ------- Default Settings... Remote admin. Serv.LogonSettings "LocalHost", 7100, "admin", "password" Vendor Fix: ----------- No fix on 0day Vendor Contact: --------------- sales () ircxpro com support () ircxpro com Concurrent with this advisory Credits: -------- Donnie Werner http://exploitlabs.com "where finding your holes is job one, and
plugging
them twice the phun" morning_wood () exploitlabs com Corporate Security Needs at http://fram4.com Security Systems
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- Re: IRCXpro 1.0 - Clear local and default remote admin passwords IRCXpro Support (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords IRCXpro Support (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Michael Osten (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Васил Колев (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Shawn McMahon (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 03)
- Re: IRCXpro 1.0 - Clear local and default remote admin passwords IRCXpro Support (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
- <Possible follow-ups>
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Cushing, David (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Pablo Sol (Jun 04)
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords tido (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)