Full Disclosure mailing list archives
Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Tue, 3 Jun 2003 10:33:20 -0700
Scenario of a remote compromise via IRCXpro cleartext passwords. System: NT / Win2k Small Lan Toploogy System A. = webserver System B = ircd System A is connected to net running bigsite.com System A is compromized with a lowlevel password / user alowing file read access Attacker uses lan to read cleartext passwords in settings.ini ALL ACCOUNTS NOW COMPROMIZED. need there be more? as an addendun If you previously used IRCXplus ( little brother ) old passwords are stored at HKEY_USERS\*\Software\VB and VBA Program Settings\IRCplus\Remote there is no excuse for a plaintext passsword in an .ini file period. Any computer with multiple users is vunerable to password discovery and disclosure. hint - hash yer pass Donnie Werner http://exploitlabs.com ----- Original Message ----- From: "IRCXpro Support" <support () ircxpro com> To: "Darren Reed" <avalon () caligula anu edu au> Cc: "morning_wood" <se_cur_ity () hotmail com>; <bugtraq () securityfocus com>; <full-disclosure () lists netsys com> Sent: Tuesday, June 03, 2003 8:31 AM Subject: Re: [Full-disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords
Reply to Feedback from Darren:Firstly, there has been support for storing passwords, encrypted, in configuration files on Unix for over 10 years, if not longer. I canThe reason why IRC servers "IRCD.config" files don't use encryption (see file attachment for example) is because 49 times out of 50 they do not
come
with a GUI program. Administrators main method of changing the configuration is to manually edit the file using a notepad utility.at leisure. Windows, Linux, it does not matter, there are security threats to all environments that when exploited given outsiders some sort of "local access".Then in this case this would be an operating system vulnerability. Overuse in the use of encrypted passwords can be counter productive to functionality. There are good reasons to keep passwords clear text passwords to better interface with other software. For example Merak Mail server software (http://www.icewarp.com/Products/Merak_Email_Server_Software/) When using this mail server, it can store the accounts on an SQL Server. The passwords are stored clear text. This enables other software to interface with its data to create and sync its accounts/passwords with
other
systems. However we will give the issue raised due attention in our next version release and appreciate everybody's efforts & feedback to further improving our product. Regards, IRCXpro Support ----- Original Message ----- From: "Darren Reed" <avalon () caligula anu edu au> To: "IRCXpro Support" <support () ircxpro com> Cc: "morning_wood" <se_cur_ity () hotmail com>; <bugtraq () securityfocus com>; <full-disclosure () lists netsys com> Sent: Tuesday, June 03, 2003 3:10 PM Subject: Re: [Full-disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwordsIn some mail from IRCXpro Support, sie said:Vulnerability(s): 1. Local clear passwords Our Reply: It is common place for all IRC Server applications to storeclearpasswords in the IRCD.config files. The nature of the program is for
it
tobe used by Remote Users, NOT local ones.There are a couple of extremely bad comments in these two sentences, let us dwell on it for a moment or two. Firstly, there has been support for storing passwords, encrypted, in configuration files on Unix for over 10 years, if not longer. I can go pull out some source code of that vintage with support for using crypt() to validate passwords if you're in doubt. Now, be that as it may, you've made a somewhat fatal assumption in your justification - that the remote users will never have any other access to the server that would let them browse the configuration at leisure. Windows, Linux, it does not matter, there are security threats to all environments that when exploited given outsiders some sort of "local access". I find it somewhat disturbing to see development of inferior security standards in products based on the supposition that nobody practises good security with the various IRC server passwords. Darren
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- Re: IRCXpro 1.0 - Clear local and default remote admin passwords IRCXpro Support (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords IRCXpro Support (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Michael Osten (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Васил Колев (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Shawn McMahon (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 03)
- Re: IRCXpro 1.0 - Clear local and default remote admin passwords IRCXpro Support (Jun 03)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
- <Possible follow-ups>
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Cushing, David (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Pablo Sol (Jun 04)
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords tido (Jun 04)
- Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)