[12338] in bugtraq
e/pop vulnerability
daemon@ATHENA.MIT.EDU (chaos 255)
Tue Oct 26 14:18:21 1999
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <19991025233128.76149.qmail@hotmail.com>
Date: Mon, 25 Oct 1999 16:31:27 PDT
Reply-To: chaos 255 <chaos255@HOTMAIL.COM>
From: chaos 255 <chaos255@HOTMAIL.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Out of the box, the e/pop application has no security settings enabled. Any
peer can take control of your desktop without warning.
The initial configuration not withstanding, I sent an email to
support@wirered.com about a vulnerability in the way the software exchanges
security codes over the network:
Software Affected
-----------------
WiredRed e/pop 2.0.3.125
Description
-----------
Security Codes configured in the e/pop Control Panel are sent in the
clear. Several security codes can be configured from the e/pop control
panel:
Global: must be installed on each e/pop peer in order to
communicate and is also used to restrict access to the
control panel.
Features: Send and Receive codes can be configured for each of the
following features: Message, Chat, Admin, Remote, and
AppShare.
Impact
------
Security codes can be easily snooped and used to communicate with and/or
take control of e/pop peers that have security codes configured.
Suggestion
----------
Send a message digest (e.g. MD5) of the security code instead of sending it
in the clear.
The following was the response I received:
>
>Thank you for your suggestion, but physical security is not the
>responsibility of e/pop, but the responsibility of your company. If
>someone
>has the ability to snoop your network with a packet sniffer, then they have
>the ability to install password grabbing trojans on your PCs and various
>other things.
>
>That is why security classifications such as C2 does not extend to physical
>premises security and control for software, and companies like Novell and
>Microsoft who meet these requirements are still vunerable in physical
>security attacks, such as console access.
>
>We appreciate your suggestions though and will take them into consideration
>as MD5 and RC6 security is used internally within e/pop to encode codes.
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
