Date: Wed, 10 Jan 2001 16:58:03 -0800 From: David Schwartz <davids@WEBMASTER.COM> Subject: Re: Vulnerable: Conference Room Professional-Developer Edititon. To: BUGTRAQ@SECURITYFOCUS.COM > Conference Room 1.8.1x or older versions are subject to a DoS attack when > following commands are used. [snip] This attack only seems to work on the WIN32 version of ConferenceRoom and is fixed in version 1.8.2 and later. It should also be noted that versions of ConferenceRoom prior to 1.8.1 are not vulnerable since these commands don't exist. Also, installations of ConferenceRoom that don't use the network services module aren't vulnerable. We advise all customers using releases of ConferenceRoom prior to 1.8.2a to upgrade to 1.8.2a for a variety of reasons. This upgrade is free to all customers and is available for download from http://www.webmaster.com/update.shtml > If your irc server using Conference Room 1.8.2x > "/ns buddy on" can't run, cuz professional edt. can't support > "buddy" command. > Register it one channel, and type it commands "/ns set authorize > chanlists on", > "/cs aop <#ChannelName> add <NickName>", "/ns auth accept 1". > and the services crashes. I spoke to the services team, and they did receive a report alleging a crash scenario similar to this one. To date, they have been unable to replicate it. I attempted to replicate the scenario above, as did several of our testers on a variety of versions (1.8.2, 1.8.2a and 1.8.2b) and on a variety of platforms (WIN32, Linux, and Solaris). None of us has been able to replicate this problem using the procedure described above. Inspection of the code involved in the 'ns auth accept' command handler did not reveal any suspicious code. In addition, this code functions identically in the Enterprise and Professional Editions, so it's hard to understand how such an exploit would work on one and not on the other. If anybody believes they can replicate this vulnerability and would like to attempt it on a test server, please contact me at <davids@webmaster.com>. If any customers are experiencing problems, please contact customer support <support@webmaster.com>. We can easily provide a version of services with these commands removed. > Only a "/servstart" issued by an ircop or admin will return the > services to > normal functionality and connect to server. The services subsystem can be configured for automatic restart. If automatic restart is enabled, there is no need for a "/servstart" to restore the lost funcionality. The automatic restart functions identically to the "servstart" command. We have confirmed that automatic restart functions as expected with the exploit in 1.8.1. It should also be explicitly noted that events in progress are not disrupted by services interruptions. Only the registration and management features provided by the services subsystem are affected. Customers with concerns about this vulnerability or who would like assistance with the upgrade process should contact WebMaster's technical support at <support@webmaster.com>. David Schwartz CTO WebMaster, Incorporated