OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd)
From: Volano Support (supportVOLANO.COM)
Date: Mon Nov 06 2000 - 13:04:54 CST


Hello Brad:

The reply to this person's email is below.

Also, as you can see, numerous attempts, from August 2-9, were made
to send to this person's email address. However, each and every
attempt returned a permanent fatal error with their email address.

We reply promptly to all emails. However, we cannot assist when
erroneous email addresses are provided. It is unfortunate that we
were "threatened" by this person about "going public" with what is
obviously not a security issue, and is a simple matter of directory
and file permissions.

If you are a member of this list, please notify others to use valid
email addresses if they expect a response.

Sincerely,
Carel Neffenger

>-----Original Message-----
>From: Bugtraq List [mailto:BUGTRAQSECURITYFOCUS.COM]On Behalf Of K,
>KRazY
>Sent: Sunday, November 05, 2000 9:54 AM
>To: BUGTRAQSECURITYFOCUS.COM
>Subject: Filesystem Access + VolanoChat = VChat admin (fwd)
>
>
>Title: VolanoChatPro stores plain text password in a publicly accessible
>file.
>Date: November 4, 2000
>Risk: Low. No system privileges are granted.
>Vendor Site: http://www.volano.com
>
>
>=================================================
>VolanoChatPro, a widely used chat server on the Internet, allows anyone
>with access to the filesystem to obtain chat server admin access.
>
>In the directory where VolanoChatPro is installed, there is a file named
>"properties.txt". This file stores the config for the server, including
>the value of server.password and admin.password. After install, the
>permissions on this file are "-rw-r--r--".
>
>I contacted the vendor on August 2, 2000 and have gotten no response. I
>think a workaround would be to change the permissions so that only the
>owner can read the file. I asked the vendor if this would cause any other
>problems or if the product would reset the permissions and got no
>response. This is not addressed in documentation.
>
>I was saddened to see that the company lists many high profile customers
>(Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See
>http://www.volano.com/customers.html), but wouldn't respond to a security
>email.
>
>
>
>.:Shout outs to:.
> - /* Commander Crash */ -- Driver, pull over at the next cross-over.
> - Scanman

>Date: Wed, 9 Aug 2000 11:47:41 -0800
>To: krazy-kacadiacom.net
>From: Volano Support <supportvolano.com>
>Subject: Fwd: Returned mail: Cannot send message within 5 days
>Cc:
>Bcc:
>X-Attachments:
>
>>Date: Wed, 9 Aug 2000 09:11:56 -0700
>>From: Mail Delivery Subsystem <MAILER-DAEMONserver1.volano.com>
>>To: <supportvolano.com>
>>Subject: Returned mail: Cannot send message within 5 days
>>Auto-Submitted: auto-generated (failure)
>>
>>
>>
>>The original message was received at Fri, 4 Aug 2000 08:21:42 -0700
>>from vp029.dds01.sea.blarg.net [206.124.137.29]
>>
>> ----- The following addresses had permanent fatal errors -----
>><krazy-kshell.acadiacom.net>
>>
>> ----- Transcript of session follows -----
>><krazy-kshell.acadiacom.net>... Deferred: Name server:
>>shell.acadiacom.net.: host name lookup failure
>>Message could not be delivered for 5 days
>>Message will be deleted from queue
>>
>>Reporting-MTA: dns; server1.volano.com
>>Arrival-Date: Fri, 4 Aug 2000 08:21:42 -0700
>>
>>Final-Recipient: RFC822; krazy-kshell.acadiacom.net
>>Action: failed
>>Status: 4.4.7
>>Remote-MTA: DNS; shell.acadiacom.net
>>Last-Attempt-Date: Wed, 9 Aug 2000 09:11:56 -0700
>>
>>Return-Path: <supportvolano.com>
>>Received: from [216.225.114.67] (vp029.dds01.sea.blarg.net [206.124.137.29])
>> by server1.volano.com (8.9.3/8.9.3) with ESMTP id IAA32229
>> for <krazy-kshell.acadiacom.net>; Fri, 4 Aug 2000 08:21:42 -0700
>>Mime-Version: 1.0
>>X-Sender: supportmail.volano.com (Unverified)
>>Message-Id: <p04320409b5b08cf19c26[216.225.114.67]>
>>In-Reply-To:
>> <Pine.LNX.3.96.1000803152202.10822A-100000shell.acadiacom.net>
>>References: <Pine.LNX.3.96.1000803152202.10822A-100000shell.acadiacom.net>
>>Date: Fri, 4 Aug 2000 08:09:55 -0700
>>To: krazy-kshell.acadiacom.net
>>From: Volano Support <supportvolano.com>
>>Subject: Re: Security: Telnet + VChat = VChat admin (fwd)
>>Content-Type: text/plain; charset="us-ascii" ; format="flowed"
>>
>>Hello:
>>
>>The email address you supply is being returned as undeliverable.
>>Below is a forward of my email from Wednesday.
>>
>>>Date: Wed, 2 Aug 2000 10:07:42 -0700
>>>To: krazy-kshell.acadiacom.net
>>>From: Volano Support <supportvolano.com>
>>>Subject: Re: Security: Telnet + VChat = VChat admin
>>>Cc:
>>>Bcc:
>>>X-Attachments:
>>>
>>>>Hi. I took a quick look at your VolanoChatPro product. I noticed that
>>>>your product sets the file properties.txt with the following permissions,
>>>>"-rw-r--r--". Since this file is readable by anyone, it is possible for
>>>>anyone with filesytem access to read the file and obtain the value of
>>>>server.password and admin.password. Once someone has these, obviously bad
>>>>things can happen.
>>>>
>>>>I didn't see this issue addressed in online documentation.
>>>>
>>>>Are there any plans to fix this? If I manually set the permissions, will
>>>>your product change the permission back to "-rw-r--r--" or can I rely on
>>>>the permissions staying the same?
>>>>
>>>>Thanks.
>>>
>>>If you're running on a multi-user system where others have login
>>>accounts, then of course, you should change the permissions so
>>>that other users can't read the file. The VolanoChat server will
>>>leave the permissions as you define them.
>>>
>>>For example, you could set it to:
>>> chmod 600 properties.txt
>>>
>>>That will set it so only the userid under which you installed and
>>>start the VolanoChat server can read the file.
>>>
>>>Also, make sure that the files are not publically available under
>>>your web server directories.
>>>
>>>Sincerely,
>>>Carel Neffenger
>>
>>
>>
>>>I have heard no response from you.
>>>
>>>I will go public in 2 weeks.
>>>
>>>---------- Forwarded message ----------
>>>Date: Wed, 2 Aug 2000 07:32:38 -0500 (CDT)
>>>From: krazy-kshell.acadiacom.net
>>>To: supportvolano.com
>>>Cc: securityvolano.com
>>>Subject: Security: Telnet + VChat = VChat admin
>>>
>>>Hi. I took a quick look at your VolanoChatPro product. I noticed that
>>>your product sets the file properties.txt with the following permissions,
>>>"-rw-r--r--". Since this file is readable by anyone, it is possible for
>>>anyone with filesytem access to read the file and obtain the value of
>>>server.password and admin.password. Once someone has these, obviously bad
>>>things can happen.
>>>
>>>I didn't see this issue addressed in online documentation.
>>>
>>>Are there any plans to fix this? If I manually set the permissions, will
>>>your product change the permission back to "-rw-r--r--" or can I rely on
>>>the permissions staying the same?
>>>
>>>Thanks.
>>
>>--
>>------------------------------------------------------------------
>>Volano LLC
>>331 Andover Park East, #240, Seattle, WA 98188-7601
>>tel (206) 575-9129
>>fax (909) 498-9986
>>mailto:supportvolano.com
>>
>>Volano LLC Home Page
>> http://www.volano.com/
>>
>>Volano Chat Administrator Guides:
>> http://www.volano.com/documentation.html

--
--------------------------------------------------------
Volano LLC
331 Andover Park East, #240, Seattle, WA 98188-7601
tel (206) 575-9129 -- fax (909) 498-9986
mailto:supportvolano.com

Volano LLC Home Page http://www.volano.com/

Volano Chat Administrator Guides: http://www.volano.com/documentation.html