MPCS security holes

Bill Woodland (wcw@bga.com)
Mon, 15 Dec 1997 23:33:44 -0600


>Date: Wed, 10 Dec 1997 21:40:39 -0600 (CST)
>From: Jason Williams <streak@ccwf.cc.utexas.edu>
>X-Sender: streak@piglet.cc.utexas.edu
>To: boshea@wpine.com
>cc: wcw@bga.com, cwizard@giblets.com, cwizard@nol.net, jeeves@jumpnet.com
>Subject: MPCS security holes
>
>I'm not sure if White Pine knows this and just haven't corrected for
>it, but I've found a major security hole in MPCS concerning telnetting in
>to the reflector.
>
>It affects all MPCS reflectors regardless of allow-wpconfig settings and
>regardless of which part is passworded (the GUI or the telnet).
>Just telnet to the IP of a MPCS reflector port 7642 and type in "who" or
>"help commands". It seems port 7642 is the same as 7640 without the
>prompt. It also isn't restricted with the use of allow-wpconfig lines
>line port 7640 is so ANYONE can see who's on the reflectors.
>
>The problem actually is much worse than that. If the operator has chosen
>to password the GUI, anyone telnetting to port 7642 can do ANYTHING with
>the reflector (kill people, deny, allow, setup new conferences, delete
>conferences, etc). No allow-wpconfig line or password is required. I
>believe this also stems from the fact that if you password the GUI, anyone
>who CAN telnet in to port 7640 has complete access to the reflector as
>well (no password required). It's also been my experience that almost
>everyone running MPCS has chosen to password the GUI, so anyone with the
>knowledge of this security hole can potentially cause a lot of damage.
>
>With Bill's reflector, he chose to password the telnet, so anyone
>telnetting to port 7642 on his reflector can only see who's on the public
>conferences and isn't allowed kill/deny/etc without entering a password.
>Still, it renders allow-wpconfig completely useless.
>
>I hope this problem will be fixed soon. Unlike the bug with mpcs.html
>displaying all public and private conferences to anyone that goes to that
>URL, this one is much more serious since it not only displays public and
>private conferences, but who's on them and potentially allows anyone to
>have complete control over the reflector. One thing I don't know of is
>how much activity on port 7642 is logged. Maybe Eric or Bill can help
>with that.
>
>--Jason Williams (still awaiting Solaris MPCS)
>
>--
>streak@ccwf.cc.utexas.edu * Jason Williams -- Austin, Tx. | |
>streak@mail.utexas.edu * University of Texas at Austin | ___ |
>streak@cs.utexas.edu * BS Computer Science \_|_/
>*************** http://ccwf.cc.utexas.edu/~streak/ **************|
>
>
>
Bill Woodland (Squeek =A9) PC questions only, please.
Personal web page: http://www.realtime.com/~wcw
CU-SeeMe page: http://cu-seeme.cornell.edu/~WCW
CU-SeeMe Unsubscribe? Details at http://cu-seeme.cornell.edu/listinfo.html