Full Disclosure: Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

["morning_wood" <se_cur_ity () hotmail com>]

Scenario of a remote compromise via IRCXpro cleartext passwords.

System: NT / Win2k
Small Lan Toploogy

System A. = webserver
System B = ircd

System A is connected to net running bigsite.com
System A is compromized with a lowlevel password / user alowing file read
access
Attacker uses lan to read cleartext passwords in settings.ini
ALL ACCOUNTS NOW COMPROMIZED.

need there be more?
as an addendun
If you previously used IRCXplus ( little brother ) old passwords are stored
at
HKEY_USERS\*\Software\VB and VBA Program Settings\IRCplus\Remote

there is no excuse for a plaintext passsword in an .ini file period. Any
computer with multiple users is vunerable to password discovery and
disclosure. hint - hash yer pass

Donnie Werner
http://exploitlabs.com



----- Original Message -----
From: "IRCXpro Support" <support () ircxpro com>
To: "Darren Reed" <avalon () caligula anu edu au>
Cc: "morning_wood" <se_cur_ity () hotmail com>; <bugtraq () securityfocus com>;
<full-disclosure () lists netsys com>
Sent: Tuesday, June 03, 2003 8:31 AM
Subject: Re: [Full-disclosure] Re: IRCXpro 1.0 - Clear local and default
remote admin passwords


> Reply to Feedback from Darren:
>
> > Firstly, there has been support for storing passwords, encrypted, in
> > configuration files on Unix for over 10 years, if not longer.  I can
> The reason why IRC servers "IRCD.config" files don't use encryption (see
> file attachment for example) is because 49 times out of 50 they do not
come
> with a GUI program.  Administrators main method of changing the
> configuration is to manually edit the file using a notepad utility.
>
> > at leisure.  Windows, Linux, it does not matter, there are security
> > threats to all environments that when exploited given outsiders some
> > sort of "local access".
> Then in this case this would be an operating system vulnerability.
>
> Overuse in the use of encrypted passwords can be counter productive to
> functionality.
> There are good reasons to keep passwords clear text passwords to better
> interface with other software.
> For example Merak Mail server software
> (http://www.icewarp.com/Products/Merak_Email_Server_Software/)
> When using this mail server, it can store the accounts on an SQL Server.
> The passwords are stored clear text.  This enables other software to
> interface with its data to create and sync its accounts/passwords with
other
> systems.
>
> However we will give the issue raised due attention in our next version
> release and appreciate everybody's efforts & feedback to further improving
> our product.
>
> Regards,
> IRCXpro Support
>
>
>
> ----- Original Message -----
> From: "Darren Reed" <avalon () caligula anu edu au>
> To: "IRCXpro Support" <support () ircxpro com>
> Cc: "morning_wood" <se_cur_ity () hotmail com>; <bugtraq () securityfocus com>;
> <full-disclosure () lists netsys com>
> Sent: Tuesday, June 03, 2003 3:10 PM
> Subject: Re: [Full-disclosure] Re: IRCXpro 1.0 - Clear local and default
> remote admin passwords
>
>
> > In some mail from IRCXpro Support, sie said:
> > > Vulnerability(s):
> > > 1. Local clear passwords
> > >
> > > Our Reply: It is common place for all IRC Server applications to store
> clear
> > > passwords in the IRCD.config files.  The nature of the program is for
it
> to
> > > be used by Remote Users, NOT local ones.
> > There are a couple of extremely bad comments in these two sentences,
> > let us dwell on it for a moment or two.
> >
> > Firstly, there has been support for storing passwords, encrypted, in
> > configuration files on Unix for over 10 years, if not longer.  I can
> > go pull out some source code of that vintage with support for using
> > crypt() to validate passwords if you're in doubt.
> >
> > Now, be that as it may, you've made a somewhat fatal assumption in
> > your justification - that the remote users will never have any other
> > access to the server that would let them  browse the configuration
> > at leisure.  Windows, Linux, it does not matter, there are security
> > threats to all environments that when exploited given outsiders some
> > sort of "local access".
> >
> > I find it somewhat disturbing to see development of inferior security
> > standards in products based on the supposition that nobody practises
> > good security with the various IRC server passwords.
> >
> > Darren
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html