Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd)

["K, KRazY" <krazy-k () shell acadiacom net>]

I would like to apologize for the misunderstanding between myself and
Volano LLC.  I don't understand what happened to the network that
prevented me from receiving their email.  I used a real address that I
receive tons of mail to everyday.  I was unaware of any network problem on
the days that the vendor attempted to contact me.  I am in no way
attempting to "threaten" the vendor.  I always work with the vendor when
they respond and understand now that Volano did attempt to respond.

I don't understand how Carel Neffenger can say "... obviously not a
security issue, and is a simple matter of directory and file permissions."
Normally files that are installed by a product are locked down or there is
a section in the documentation to cover a secure configuration.

The issue is now understood so admins can configure securely (currently
some are not).

Thanks!
KraZY-k


On Mon, 6 Nov 2000, Volano Support wrote:

> Hello Brad:
>
> The reply to this person's email is below.
>
> Also, as you can see, numerous attempts, from August 2-9, were made
> to send to this person's email address. However, each and every
> attempt returned a permanent fatal error with their email address.
>
> We reply promptly to all emails. However, we cannot assist when
> erroneous email addresses are provided. It is unfortunate that we
> were "threatened" by this person about "going public" with what is
> obviously not a security issue, and is a simple matter of directory
> and file permissions.
>
> If you are a member of this list, please notify others to use valid
> email addresses if they expect a response.
>
> Sincerely,
> Carel Neffenger
>
>
> > -----Original Message-----
> > From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of K,
> > KRazY
> > Sent: Sunday, November 05, 2000 9:54 AM
> > To: BUGTRAQ () SECURITYFOCUS COM
> > Subject: Filesystem Access + VolanoChat = VChat admin (fwd)
> >
> >
> > Title: VolanoChatPro stores plain text password in a publicly accessible
> > file.
> > Date: November 4, 2000
> > Risk: Low. No system privileges are granted.
> > Vendor Site: http://www.volano.com
> >
> >
> > =================================================
> > VolanoChatPro, a widely used chat server on the Internet, allows anyone
> > with access to the filesystem to obtain chat server admin access.
> >
> > In the directory where VolanoChatPro is installed, there is a file named
> > "properties.txt".  This file stores the config for the server, including
> > the value of server.password and admin.password.  After install, the
> > permissions on this file are "-rw-r--r--".
> >
> > I contacted the vendor on August 2, 2000 and have gotten no response.  I
> > think a workaround would be to change the permissions so that only the
> > owner can read the file.  I asked the vendor if this would cause any other
> > problems or if the product would reset the permissions and got no
> > response. This is not addressed in documentation.
> >
> > I was saddened to see that the company lists many high profile customers
> > (Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See
> > http://www.volano.com/customers.html), but wouldn't respond to a security
> > email.
> >
> >
> >
> > .:Shout outs to:.
> >  - /* Commander Crash */  -- Driver, pull over at the next cross-over.
> >  - Scanman
>
>
>
>
> > Date: Wed, 9 Aug 2000 11:47:41 -0800
> > To: krazy-k () acadiacom net
> > From: Volano Support <support () volano com>
> > Subject: Fwd: Returned mail: Cannot send message within 5 days
> > Cc:
> > Bcc:
> > X-Attachments:
> >
> > > Date: Wed, 9 Aug 2000 09:11:56 -0700
> > > From: Mail Delivery Subsystem <MAILER-DAEMON () server1 volano com>
> > > To: <support () volano com>
> > > Subject: Returned mail: Cannot send message within 5 days
> > > Auto-Submitted: auto-generated (failure)
> > >
> > >
> > >
> > > The original message was received at Fri, 4 Aug 2000 08:21:42 -0700
> > > from vp029.dds01.sea.blarg.net [206.124.137.29]
> > >
> > >    ----- The following addresses had permanent fatal errors -----
> > > <krazy-k () shell acadiacom net>
> > >
> > >    ----- Transcript of session follows -----
> > > <krazy-k () shell acadiacom net>... Deferred: Name server:
> > > shell.acadiacom.net.: host name lookup failure
> > > Message could not be delivered for 5 days
> > > Message will be deleted from queue
> > >
> > > Reporting-MTA: dns; server1.volano.com
> > > Arrival-Date: Fri, 4 Aug 2000 08:21:42 -0700
> > >
> > > Final-Recipient: RFC822; krazy-k () shell acadiacom net
> > > Action: failed
> > > Status: 4.4.7
> > > Remote-MTA: DNS; shell.acadiacom.net
> > > Last-Attempt-Date: Wed, 9 Aug 2000 09:11:56 -0700
> > >
> > > Return-Path: <support () volano com>
> > > Received: from [216.225.114.67] (vp029.dds01.sea.blarg.net [206.124.137.29])
> > >    by server1.volano.com (8.9.3/8.9.3) with ESMTP id IAA32229
> > >    for <krazy-k () shell acadiacom net>; Fri, 4 Aug 2000 08:21:42 -0700
> > > Mime-Version: 1.0
> > > X-Sender: support () mail volano com (Unverified)
> > > Message-Id: <p04320409b5b08cf19c26@[216.225.114.67]>
> > > In-Reply-To:
> > >  <Pine.LNX.3.96.1000803152202.10822A-100000 () shell acadiacom net>
> > > References: <Pine.LNX.3.96.1000803152202.10822A-100000 () shell acadiacom net>
> > > Date: Fri, 4 Aug 2000 08:09:55 -0700
> > > To: krazy-k () shell acadiacom net
> > > From: Volano Support <support () volano com>
> > > Subject: Re: Security: Telnet + VChat = VChat admin (fwd)
> > > Content-Type: text/plain; charset="us-ascii" ; format="flowed"
> > >
> > > Hello:
> > >
> > > The email address you supply is being returned as undeliverable.
> > > Below is a forward of my email from Wednesday.
> > >
> > > > Date: Wed, 2 Aug 2000 10:07:42 -0700
> > > > To: krazy-k () shell acadiacom net
> > > > From: Volano Support <support () volano com>
> > > > Subject: Re: Security: Telnet + VChat = VChat admin
> > > > Cc:
> > > > Bcc:
> > > > X-Attachments:
> > > >
> > > > > Hi.  I took a quick look at your VolanoChatPro product.  I noticed that
> > > > > your product sets the file properties.txt with the following permissions,
> > > > > "-rw-r--r--".  Since this file is readable by anyone, it is possible for
> > > > > anyone with filesytem access to read the file and obtain the value of
> > > > > server.password and admin.password.  Once someone has these, obviously bad
> > > > > things can happen.
> > > > >
> > > > > I didn't see this issue addressed in online documentation.
> > > > >
> > > > > Are there any plans to fix this?  If I manually set the permissions, will
> > > > > your product change the permission back to "-rw-r--r--" or can I rely on
> > > > > the permissions staying the same?
> > > > >
> > > > > Thanks.
> > > >
> > > > If you're running on a multi-user system where others have login
> > > > accounts, then of course, you should change the permissions so
> > > > that other users can't read the file. The VolanoChat server will
> > > > leave the permissions as you define them.
> > > >
> > > > For example, you could set it to:
> > > >    chmod 600 properties.txt
> > > >
> > > > That will set it so only the userid under which you installed and
> > > > start the VolanoChat server can read the file.
> > > >
> > > > Also, make sure that the files are not publically available under
> > > > your web server directories.
> > > >
> > > > Sincerely,
> > > > Carel Neffenger
> > >
> > >
> > >
> > > > I have heard no response from you.
> > > >
> > > > I will go public in 2 weeks.
> > > >
> > > > ---------- Forwarded message ----------
> > > > Date: Wed, 2 Aug 2000 07:32:38 -0500 (CDT)
> > > > From: krazy-k () shell acadiacom net
> > > > To: support () volano com
> > > > Cc: security () volano com
> > > > Subject: Security: Telnet + VChat = VChat admin
> > > >
> > > > Hi.  I took a quick look at your VolanoChatPro product.  I noticed that
> > > > your product sets the file properties.txt with the following permissions,
> > > > "-rw-r--r--".  Since this file is readable by anyone, it is possible for
> > > > anyone with filesytem access to read the file and obtain the value of
> > > > server.password and admin.password.  Once someone has these, obviously bad
> > > > things can happen.
> > > >
> > > > I didn't see this issue addressed in online documentation.
> > > >
> > > > Are there any plans to fix this?  If I manually set the permissions, will
> > > > your product change the permission back to "-rw-r--r--" or can I rely on
> > > > the permissions staying the same?
> > > >
> > > > Thanks.
> > >
> > > --
> > > ------------------------------------------------------------------
> > > Volano LLC
> > > 331 Andover Park East, #240, Seattle, WA 98188-7601
> > > tel (206) 575-9129
> > > fax (909) 498-9986
> > > mailto:support () volano com
> > >
> > > Volano LLC Home Page
> > >     http://www.volano.com/
> > >
> > > Volano Chat Administrator Guides:
> > >     http://www.volano.com/documentation.html
>
> --
> --------------------------------------------------------
> Volano LLC
> 331 Andover Park East, #240, Seattle, WA 98188-7601
> tel (206) 575-9129 -- fax (909) 498-9986
> mailto:support () volano com
>
> Volano LLC Home Page
>      http://www.volano.com/
>
> Volano Chat Administrator Guides:
>      http://www.volano.com/documentation.html