Date: Tue, 7 Nov 2000 08:56:08 -0600 From: "K, KRazY" <krazy-k@SHELL.ACADIACOM.NET> Subject: Re: FW: Filesystem Access + VolanoChat = VChat admin (fwd) To: BUGTRAQ@SECURITYFOCUS.COM I would like to apologize for the misunderstanding between myself and Volano LLC. I don't understand what happened to the network that prevented me from receiving their email. I used a real address that I receive tons of mail to everyday. I was unaware of any network problem on the days that the vendor attempted to contact me. I am in no way attempting to "threaten" the vendor. I always work with the vendor when they respond and understand now that Volano did attempt to respond. I don't understand how Carel Neffenger can say "... obviously not a security issue, and is a simple matter of directory and file permissions." Normally files that are installed by a product are locked down or there is a section in the documentation to cover a secure configuration. The issue is now understood so admins can configure securely (currently some are not). Thanks! KraZY-k On Mon, 6 Nov 2000, Volano Support wrote: > Hello Brad: > > The reply to this person's email is below. > > Also, as you can see, numerous attempts, from August 2-9, were made > to send to this person's email address. However, each and every > attempt returned a permanent fatal error with their email address. > > We reply promptly to all emails. However, we cannot assist when > erroneous email addresses are provided. It is unfortunate that we > were "threatened" by this person about "going public" with what is > obviously not a security issue, and is a simple matter of directory > and file permissions. > > If you are a member of this list, please notify others to use valid > email addresses if they expect a response. > > Sincerely, > Carel Neffenger > > > >-----Original Message----- > >From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of K, > >KRazY > >Sent: Sunday, November 05, 2000 9:54 AM > >To: BUGTRAQ@SECURITYFOCUS.COM > >Subject: Filesystem Access + VolanoChat = VChat admin (fwd) > > > > > >Title: VolanoChatPro stores plain text password in a publicly accessible > >file. > >Date: November 4, 2000 > >Risk: Low. No system privileges are granted. > >Vendor Site: http://www.volano.com > > > > > >================================================= > >VolanoChatPro, a widely used chat server on the Internet, allows anyone > >with access to the filesystem to obtain chat server admin access. > > > >In the directory where VolanoChatPro is installed, there is a file named > >"properties.txt". This file stores the config for the server, including > >the value of server.password and admin.password. After install, the > >permissions on this file are "-rw-r--r--". > > > >I contacted the vendor on August 2, 2000 and have gotten no response. I > >think a workaround would be to change the permissions so that only the > >owner can read the file. I asked the vendor if this would cause any other > >problems or if the product would reset the permissions and got no > >response. This is not addressed in documentation. > > > >I was saddened to see that the company lists many high profile customers > >(Sun, Rational, AT&T Worldnet, Dept. of Energy, etc. See > >http://www.volano.com/customers.html), but wouldn't respond to a security > >email. > > > > > > > >.:Shout outs to:. > > - /* Commander Crash */ -- Driver, pull over at the next cross-over. > > - Scanman > > > > > >Date: Wed, 9 Aug 2000 11:47:41 -0800 > >To: krazy-k@acadiacom.net > >From: Volano Support <support@volano.com> > >Subject: Fwd: Returned mail: Cannot send message within 5 days > >Cc: > >Bcc: > >X-Attachments: > > > >>Date: Wed, 9 Aug 2000 09:11:56 -0700 > >>From: Mail Delivery Subsystem <MAILER-DAEMON@server1.volano.com> > >>To: <support@volano.com> > >>Subject: Returned mail: Cannot send message within 5 days > >>Auto-Submitted: auto-generated (failure) > >> > >> > >> > >>The original message was received at Fri, 4 Aug 2000 08:21:42 -0700 > >>from vp029.dds01.sea.blarg.net [206.124.137.29] > >> > >> ----- The following addresses had permanent fatal errors ----- > >><krazy-k@shell.acadiacom.net> > >> > >> ----- Transcript of session follows ----- > >><krazy-k@shell.acadiacom.net>... Deferred: Name server: > >>shell.acadiacom.net.: host name lookup failure > >>Message could not be delivered for 5 days > >>Message will be deleted from queue > >> > >>Reporting-MTA: dns; server1.volano.com > >>Arrival-Date: Fri, 4 Aug 2000 08:21:42 -0700 > >> > >>Final-Recipient: RFC822; krazy-k@shell.acadiacom.net > >>Action: failed > >>Status: 4.4.7 > >>Remote-MTA: DNS; shell.acadiacom.net > >>Last-Attempt-Date: Wed, 9 Aug 2000 09:11:56 -0700 > >> > >>Return-Path: <support@volano.com> > >>Received: from [216.225.114.67] (vp029.dds01.sea.blarg.net [206.124.137.29]) > >> by server1.volano.com (8.9.3/8.9.3) with ESMTP id IAA32229 > >> for <krazy-k@shell.acadiacom.net>; Fri, 4 Aug 2000 08:21:42 -0700 > >>Mime-Version: 1.0 > >>X-Sender: support@mail.volano.com (Unverified) > >>Message-Id: <p04320409b5b08cf19c26@[216.225.114.67]> > >>In-Reply-To: > >> <Pine.LNX.3.96.1000803152202.10822A-100000@shell.acadiacom.net> > >>References: <Pine.LNX.3.96.1000803152202.10822A-100000@shell.acadiacom.net> > >>Date: Fri, 4 Aug 2000 08:09:55 -0700 > >>To: krazy-k@shell.acadiacom.net > >>From: Volano Support <support@volano.com> > >>Subject: Re: Security: Telnet + VChat = VChat admin (fwd) > >>Content-Type: text/plain; charset="us-ascii" ; format="flowed" > >> > >>Hello: > >> > >>The email address you supply is being returned as undeliverable. > >>Below is a forward of my email from Wednesday. > >> > >>>Date: Wed, 2 Aug 2000 10:07:42 -0700 > >>>To: krazy-k@shell.acadiacom.net > >>>From: Volano Support <support@volano.com> > >>>Subject: Re: Security: Telnet + VChat = VChat admin > >>>Cc: > >>>Bcc: > >>>X-Attachments: > >>> > >>>>Hi. I took a quick look at your VolanoChatPro product. I noticed that > >>>>your product sets the file properties.txt with the following permissions, > >>>>"-rw-r--r--". Since this file is readable by anyone, it is possible for > >>>>anyone with filesytem access to read the file and obtain the value of > >>>>server.password and admin.password. Once someone has these, obviously bad > >>>>things can happen. > >>>> > >>>>I didn't see this issue addressed in online documentation. > >>>> > >>>>Are there any plans to fix this? If I manually set the permissions, will > >>>>your product change the permission back to "-rw-r--r--" or can I rely on > >>>>the permissions staying the same? > >>>> > >>>>Thanks. > >>> > >>>If you're running on a multi-user system where others have login > >>>accounts, then of course, you should change the permissions so > >>>that other users can't read the file. The VolanoChat server will > >>>leave the permissions as you define them. > >>> > >>>For example, you could set it to: > >>> chmod 600 properties.txt > >>> > >>>That will set it so only the userid under which you installed and > >>>start the VolanoChat server can read the file. > >>> > >>>Also, make sure that the files are not publically available under > >>>your web server directories. > >>> > >>>Sincerely, > >>>Carel Neffenger > >> > >> > >> > >>>I have heard no response from you. > >>> > >>>I will go public in 2 weeks. > >>> > >>>---------- Forwarded message ---------- > >>>Date: Wed, 2 Aug 2000 07:32:38 -0500 (CDT) > >>>From: krazy-k@shell.acadiacom.net > >>>To: support@volano.com > >>>Cc: security@volano.com > >>>Subject: Security: Telnet + VChat = VChat admin > >>> > >>>Hi. I took a quick look at your VolanoChatPro product. I noticed that > >>>your product sets the file properties.txt with the following permissions, > >>>"-rw-r--r--". Since this file is readable by anyone, it is possible for > >>>anyone with filesytem access to read the file and obtain the value of > >>>server.password and admin.password. Once someone has these, obviously bad > >>>things can happen. > >>> > >>>I didn't see this issue addressed in online documentation. > >>> > >>>Are there any plans to fix this? If I manually set the permissions, will > >>>your product change the permission back to "-rw-r--r--" or can I rely on > >>>the permissions staying the same? > >>> > >>>Thanks. > >> > >>-- > >>------------------------------------------------------------------ > >>Volano LLC > >>331 Andover Park East, #240, Seattle, WA 98188-7601 > >>tel (206) 575-9129 > >>fax (909) 498-9986 > >>mailto:support@volano.com > >> > >>Volano LLC Home Page > >> http://www.volano.com/ > >> > >>Volano Chat Administrator Guides: > >> http://www.volano.com/documentation.html > > -- > -------------------------------------------------------- > Volano LLC > 331 Andover Park East, #240, Seattle, WA 98188-7601 > tel (206) 575-9129 -- fax (909) 498-9986 > mailto:support@volano.com > > Volano LLC Home Page > http://www.volano.com/ > > Volano Chat Administrator Guides: > http://www.volano.com/documentation.html >