[17546] in bugtraq
Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd)
daemon@ATHENA.MIT.EDU (K, KRazY)
Tue Nov 7 14:21:35 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.3.96.1001107084754.24102A-100000@shell.acadiacom.net>
Date: Tue, 7 Nov 2000 08:56:08 -0600
Reply-To: krazy-k@shell.acadiacom.net
From: "K, KRazY" <krazy-k@shell.acadiacom.net>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <p0501040bb62caf92ac50@[192.168.1.2]>
I would like to apologize for the misunderstanding between myself and
Volano LLC. I don't understand what happened to the network that
prevented me from receiving their email. I used a real address that I
receive tons of mail to everyday. I was unaware of any network problem on
the days that the vendor attempted to contact me. I am in no way
attempting to "threaten" the vendor. I always work with the vendor when
they respond and understand now that Volano did attempt to respond.
I don't understand how Carel Neffenger can say "... obviously not a
security issue, and is a simple matter of directory and file permissions."
Normally files that are installed by a product are locked down or there is
a section in the documentation to cover a secure configuration.
The issue is now understood so admins can configure securely (currently
some are not).
Thanks!
KraZY-k
On Mon, 6 Nov 2000, Volano Support wrote:
> Hello Brad:
>
> The reply to this person's email is below.
>
> Also, as you can see, numerous attempts, from August 2-9, were made
> to send to this person's email address. However, each and every
> attempt returned a permanent fatal error with their email address.
>
> We reply promptly to all emails. However, we cannot assist when
> erroneous email addresses are provided. It is unfortunate that we
> were "threatened" by this person about "going public" with what is
> obviously not a security issue, and is a simple matter of directory
> and file permissions.
>
> If you are a member of this list, please notify others to use valid
> email addresses if they expect a response.
>
> Sincerely,
> Carel Neffenger
>
>
> >-----Original Message-----
> >From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of K,
> >KRazY
> >Sent: Sunday, November 05, 2000 9:54 AM
> >To: BUGTRAQ@SECURITYFOCUS.COM
> >Subject: Filesystem Access + VolanoChat = VChat admin (fwd)
> >
> >
> >Title: VolanoChatPro stores plain text password in a publicly accessible
> >file.
> >Date: November 4, 2000
> >Risk: Low. No system privileges are granted.
> >Vendor Site: http://www.volano.com
> >
> >
> >=================================================
> >VolanoChatPro, a widely used chat server on the Internet, allows anyone
> >with access to the filesystem to obtain chat server admin access.
> >
> >In the directory where VolanoChatPro is installed, there is a file named
> >"properties.txt". This file stores the config for the server, including
> >the value of server.password and admin.password. After install, the
> >permissions on this file are "-rw-r--r--".
> >
> >I contacted the vendor on August 2, 2000 and have gotten no response. I
> >think a workaround would be to change the permissions so that only the
> >owner can read the file. I asked the vendor if this would cause any other
> >problems or if the product would reset the permissions and got no
> >response. This is not addressed in documentation.
> >
> >I was saddened to see that the company lists many high profile customers
> >(Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See
> >http://www.volano.com/customers.html), but wouldn't respond to a security
> >email.
> >
> >
> >
> >.:Shout outs to:.
> > - /* Commander Crash */ -- Driver, pull over at the next cross-over.
> > - Scanman
>
>
>
>
> >Date: Wed, 9 Aug 2000 11:47:41 -0800
> >To: krazy-k@acadiacom.net
> >From: Volano Support <support@volano.com>
> >Subject: Fwd: Returned mail: Cannot send message within 5 days
> >Cc:
> >Bcc:
> >X-Attachments:
> >
> >>Date: Wed, 9 Aug 2000 09:11:56 -0700
> >>From: Mail Delivery Subsystem <MAILER-DAEMON@server1.volano.com>
> >>To: <support@volano.com>
> >>Subject: Returned mail: Cannot send message within 5 days
> >>Auto-Submitted: auto-generated (failure)
> >>
> >>
> >>
> >>The original message was received at Fri, 4 Aug 2000 08:21:42 -0700
> >>from vp029.dds01.sea.blarg.net [206.124.137.29]
> >>
> >> ----- The following addresses had permanent fatal errors -----
> >><krazy-k@shell.acadiacom.net>
> >>
> >> ----- Transcript of session follows -----
> >><krazy-k@shell.acadiacom.net>... Deferred: Name server:
> >>shell.acadiacom.net.: host name lookup failure
> >>Message could not be delivered for 5 days
> >>Message will be deleted from queue
> >>
> >>Reporting-MTA: dns; server1.volano.com
> >>Arrival-Date: Fri, 4 Aug 2000 08:21:42 -0700
> >>
> >>Final-Recipient: RFC822; krazy-k@shell.acadiacom.net
> >>Action: failed
> >>Status: 4.4.7
> >>Remote-MTA: DNS; shell.acadiacom.net
> >>Last-Attempt-Date: Wed, 9 Aug 2000 09:11:56 -0700
> >>
> >>Return-Path: <support@volano.com>
> >>Received: from [216.225.114.67] (vp029.dds01.sea.blarg.net [206.124.137.29])
> >> by server1.volano.com (8.9.3/8.9.3) with ESMTP id IAA32229
> >> for <krazy-k@shell.acadiacom.net>; Fri, 4 Aug 2000 08:21:42 -0700
> >>Mime-Version: 1.0
> >>X-Sender: support@mail.volano.com (Unverified)
> >>Message-Id: <p04320409b5b08cf19c26@[216.225.114.67]>
> >>In-Reply-To:
> >> <Pine.LNX.3.96.1000803152202.10822A-100000@shell.acadiacom.net>
> >>References: <Pine.LNX.3.96.1000803152202.10822A-100000@shell.acadiacom.net>
> >>Date: Fri, 4 Aug 2000 08:09:55 -0700
> >>To: krazy-k@shell.acadiacom.net
> >>From: Volano Support <support@volano.com>
> >>Subject: Re: Security: Telnet + VChat = VChat admin (fwd)
> >>Content-Type: text/plain; charset="us-ascii" ; format="flowed"
> >>
> >>Hello:
> >>
> >>The email address you supply is being returned as undeliverable.
> >>Below is a forward of my email from Wednesday.
> >>
> >>>Date: Wed, 2 Aug 2000 10:07:42 -0700
> >>>To: krazy-k@shell.acadiacom.net
> >>>From: Volano Support <support@volano.com>
> >>>Subject: Re: Security: Telnet + VChat = VChat admin
> >>>Cc:
> >>>Bcc:
> >>>X-Attachments:
> >>>
> >>>>Hi. I took a quick look at your VolanoChatPro product. I noticed that
> >>>>your product sets the file properties.txt with the following permissions,
> >>>>"-rw-r--r--". Since this file is readable by anyone, it is possible for
> >>>>anyone with filesytem access to read the file and obtain the value of
> >>>>server.password and admin.password. Once someone has these, obviously bad
> >>>>things can happen.
> >>>>
> >>>>I didn't see this issue addressed in online documentation.
> >>>>
> >>>>Are there any plans to fix this? If I manually set the permissions, will
> >>>>your product change the permission back to "-rw-r--r--" or can I rely on
> >>>>the permissions staying the same?
> >>>>
> >>>>Thanks.
> >>>
> >>>If you're running on a multi-user system where others have login
> >>>accounts, then of course, you should change the permissions so
> >>>that other users can't read the file. The VolanoChat server will
> >>>leave the permissions as you define them.
> >>>
> >>>For example, you could set it to:
> >>> chmod 600 properties.txt
> >>>
> >>>That will set it so only the userid under which you installed and
> >>>start the VolanoChat server can read the file.
> >>>
> >>>Also, make sure that the files are not publically available under
> >>>your web server directories.
> >>>
> >>>Sincerely,
> >>>Carel Neffenger
> >>
> >>
> >>
> >>>I have heard no response from you.
> >>>
> >>>I will go public in 2 weeks.
> >>>
> >>>---------- Forwarded message ----------
> >>>Date: Wed, 2 Aug 2000 07:32:38 -0500 (CDT)
> >>>From: krazy-k@shell.acadiacom.net
> >>>To: support@volano.com
> >>>Cc: security@volano.com
> >>>Subject: Security: Telnet + VChat = VChat admin
> >>>
> >>>Hi. I took a quick look at your VolanoChatPro product. I noticed that
> >>>your product sets the file properties.txt with the following permissions,
> >>>"-rw-r--r--". Since this file is readable by anyone, it is possible for
> >>>anyone with filesytem access to read the file and obtain the value of
> >>>server.password and admin.password. Once someone has these, obviously bad
> >>>things can happen.
> >>>
> >>>I didn't see this issue addressed in online documentation.
> >>>
> >>>Are there any plans to fix this? If I manually set the permissions, will
> >>>your product change the permission back to "-rw-r--r--" or can I rely on
> >>>the permissions staying the same?
> >>>
> >>>Thanks.
> >>
> >>--
> >>------------------------------------------------------------------
> >>Volano LLC
> >>331 Andover Park East, #240, Seattle, WA 98188-7601
> >>tel (206) 575-9129
> >>fax (909) 498-9986
> >>mailto:support@volano.com
> >>
> >>Volano LLC Home Page
> >> http://www.volano.com/
> >>
> >>Volano Chat Administrator Guides:
> >> http://www.volano.com/documentation.html
>
> --
> --------------------------------------------------------
> Volano LLC
> 331 Andover Park East, #240, Seattle, WA 98188-7601
> tel (206) 575-9129 -- fax (909) 498-9986
> mailto:support@volano.com
>
> Volano LLC Home Page
> http://www.volano.com/
>
> Volano Chat Administrator Guides:
> http://www.volano.com/documentation.html
>
