Bugtraq mailing list archives
e/pop vulnerability
From: chaos255 () HOTMAIL COM (chaos 255)
Date: Mon, 25 Oct 1999 16:31:27 PDT
Out of the box, the e/pop application has no security settings enabled. Any peer can take control of your desktop without warning. The initial configuration not withstanding, I sent an email to support () wirered com about a vulnerability in the way the software exchanges security codes over the network: Software Affected ----------------- WiredRed e/pop 2.0.3.125 Description ----------- Security Codes configured in the e/pop Control Panel are sent in the clear. Several security codes can be configured from the e/pop control panel: Global: must be installed on each e/pop peer in order to communicate and is also used to restrict access to the control panel. Features: Send and Receive codes can be configured for each of the following features: Message, Chat, Admin, Remote, and AppShare. Impact ------ Security codes can be easily snooped and used to communicate with and/or take control of e/pop peers that have security codes configured. Suggestion ---------- Send a message digest (e.g. MD5) of the security code instead of sending it in the clear. The following was the response I received:
Thank you for your suggestion, but physical security is not the responsibility of e/pop, but the responsibility of your company. If someone has the ability to snoop your network with a packet sniffer, then they have the ability to install password grabbing trojans on your PCs and various other things. That is why security classifications such as C2 does not extend to physical premises security and control for software, and companies like Novell and Microsoft who meet these requirements are still vunerable in physical security attacks, such as console access. We appreciate your suggestions though and will take them into consideration as MD5 and RC6 security is used internally within e/pop to encode codes.
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Imagemap CGI overflow exploit UNYUN (Oct 21)
- Re: Imagemap CGI overflow exploit John LoVerso (Oct 22)
- e/pop vulnerability chaos 255 (Oct 25)
- Re: Imagemap CGI overflow exploit Thomas Reinke (Oct 25)