Re: MPCS security holes

Eric Ochoa [NOL Staff] (cwizard@nol.net)
Tue, 16 Dec 1997 14:25:42 -0600 (CST)


Real good, lets let EVERYONE know how to crash our servers. Here I have
something for you:

____________________________________________
| 1 ONE |
| .d8888b. .d8888b. |
| d88P Y88b INTERNET CLUEPON d88P Y88b |
| .d88P .d88P |
| .d88P" good for .d88P" |
| 888" 888" |
| 888 One *FREE* Clue 888 |
| |
| 888 888 |
| ONE 1 |
--------------------------------------------

On Mon, 15 Dec 1997, Bill Woodland (Squeek) wrote:

> >Date: Wed, 10 Dec 1997 21:40:39 -0600 (CST)
> >From: Jason Williams <streak@ccwf.cc.utexas.edu>
> >X-Sender: streak@piglet.cc.utexas.edu
> >To: boshea@wpine.com
> >cc: wcw@bga.com, cwizard@giblets.com, cwizard@nol.net, jeeves@jumpnet.co=
m
> >Subject: MPCS security holes
> >
> >I'm not sure if White Pine knows this and just haven't corrected for
> >it, but I've found a major security hole in MPCS concerning telnetting i=
n
> >to the reflector.
> >
> >It affects all MPCS reflectors regardless of allow-wpconfig settings and
> >regardless of which part is passworded (the GUI or the telnet).
> >Just telnet to the IP of a MPCS reflector port 7642 and type in "who" or
> >"help commands". It seems port 7642 is the same as 7640 without the
> >prompt. It also isn't restricted with the use of allow-wpconfig lines
> >line port 7640 is so ANYONE can see who's on the reflectors.
> >
> >The problem actually is much worse than that. If the operator has chose=
n
> >to password the GUI, anyone telnetting to port 7642 can do ANYTHING with
> >the reflector (kill people, deny, allow, setup new conferences, delete
> >conferences, etc). No allow-wpconfig line or password is required. I
> >believe this also stems from the fact that if you password the GUI, anyo=
ne
> >who CAN telnet in to port 7640 has complete access to the reflector as
> >well (no password required). It's also been my experience that almost
> >everyone running MPCS has chosen to password the GUI, so anyone with the
> >knowledge of this security hole can potentially cause a lot of damage.
> >
> >With Bill's reflector, he chose to password the telnet, so anyone
> >telnetting to port 7642 on his reflector can only see who's on the publi=
c
> >conferences and isn't allowed kill/deny/etc without entering a password.
> >Still, it renders allow-wpconfig completely useless.
> >
> >I hope this problem will be fixed soon. Unlike the bug with mpcs.html
> >displaying all public and private conferences to anyone that goes to tha=
t
> >URL, this one is much more serious since it not only displays public and
> >private conferences, but who's on them and potentially allows anyone to
> >have complete control over the reflector. One thing I don't know of is
> >how much activity on port 7642 is logged. Maybe Eric or Bill can help
> >with that.
> >
> >--Jason Williams (still awaiting Solaris MPCS)
> >
> >--
> >streak@ccwf.cc.utexas.edu * Jason Williams -- Austin, Tx. | |
> >streak@mail.utexas.edu * University of Texas at Austin | ___ |
> >streak@cs.utexas.edu * BS Computer Science \_|_/
> >*************** http://ccwf.cc.utexas.edu/~streak/ **************|
> >
> >
> >
> Bill Woodland (Squeek =A9) PC questions only, please.
> Personal web page: http://www.realtime.com/~wcw
> CU-SeeMe page: http://cu-seeme.cornell.edu/~WCW
> CU-SeeMe Unsubscribe? Details at http://cu-seeme.cornell.edu/listinfo.ht=
ml
>=20

=2Eo Eric Ochoa ............................... Phone [713] 467-7100 .o.
=2Eo Networks On-Line ......................... Pager [713] 268-9177 .o.
=2Eo 10497 Town & Country Way #460 ............ Email erico@nol.net .o.
=2Eo Houston TX 77024 ............................................... o.