Scenario of a remote compromise via IRCXpro cleartext passwords. System: NT / Win2k Small Lan Toploogy System A. = webserver System B = ircd System A is connected to net running bigsite.com System A is compromized with a lowlevel password / user alowing file read access Attacker uses lan to read cleartext passwords in settings.ini ALL ACCOUNTS NOW COMPROMIZED. need there be more? as an addendun If you previously used IRCXplus ( little brother ) old passwords are stored at HKEY_USERS\*\Software\VB and VBA Program Settings\IRCplus\Remote there is no excuse for a plaintext passsword in an .ini file period. Any computer with multiple users is vunerable to password discovery and disclosure. hint - hash yer pass Donnie Werner http://exploitlabs.com ----- Original Message ----- From: "IRCXpro Support" <supportat_private> To: "Darren Reed" <avalonat_private> Cc: "morning_wood" <se_cur_ityat_private>; <bugtraqat_private>; <full-disclosureat_private> Sent: Tuesday, June 03, 2003 8:31 AM Subject: Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords > Reply to Feedback from Darren: > > > Firstly, there has been support for storing passwords, encrypted, in > > configuration files on Unix for over 10 years, if not longer. I can > > The reason why IRC servers "IRCD.config" files don't use encryption (see > file attachment for example) is because 49 times out of 50 they do not come > with a GUI program. Administrators main method of changing the > configuration is to manually edit the file using a notepad utility. > > > at leisure. Windows, Linux, it does not matter, there are security > > threats to all environments that when exploited given outsiders some > > sort of "local access". > > Then in this case this would be an operating system vulnerability. > > Overuse in the use of encrypted passwords can be counter productive to > functionality. > There are good reasons to keep passwords clear text passwords to better > interface with other software. > For example Merak Mail server software > (http://www.icewarp.com/Products/Merak_Email_Server_Software/) > When using this mail server, it can store the accounts on an SQL Server. > The passwords are stored clear text. This enables other software to > interface with its data to create and sync its accounts/passwords with other > systems. > > However we will give the issue raised due attention in our next version > release and appreciate everybody's efforts & feedback to further improving > our product. > > Regards, > IRCXpro Support > > > > ----- Original Message ----- > From: "Darren Reed" <avalonat_private> > To: "IRCXpro Support" <supportat_private> > Cc: "morning_wood" <se_cur_ityat_private>; <bugtraqat_private>; > <full-disclosureat_private> > Sent: Tuesday, June 03, 2003 3:10 PM > Subject: Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default > remote admin passwords > > > > In some mail from IRCXpro Support, sie said: > > > > > > Vulnerability(s): > > > 1. Local clear passwords > > > > > > Our Reply: It is common place for all IRC Server applications to store > clear > > > passwords in the IRCD.config files. The nature of the program is for it > to > > > be used by Remote Users, NOT local ones. > > > > There are a couple of extremely bad comments in these two sentences, > > let us dwell on it for a moment or two. > > > > Firstly, there has been support for storing passwords, encrypted, in > > configuration files on Unix for over 10 years, if not longer. I can > > go pull out some source code of that vintage with support for using > > crypt() to validate passwords if you're in doubt. > > > > Now, be that as it may, you've made a somewhat fatal assumption in > > your justification - that the remote users will never have any other > > access to the server that would let them browse the configuration > > at leisure. Windows, Linux, it does not matter, there are security > > threats to all environments that when exploited given outsiders some > > sort of "local access". > > > > I find it somewhat disturbing to see development of inferior security > > standards in products based on the supposition that nobody practises > > good security with the various IRC server passwords. > > > > Darren > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Jun 03 2003 - 11:29:18 PDT