Re: Vulnerable: Conference Room Professional-Developer Edititon.

[David Schwartz <davids () WEBMASTER COM>]

> Conference Room 1.8.1x or older versions are subject to a DoS attack when
> following commands are used.

[snip]

        This attack only seems to work on the WIN32 version of ConferenceRoom and
is fixed in version 1.8.2 and later. It should also be noted that versions
of ConferenceRoom prior to 1.8.1 are not vulnerable since these commands
don't exist. Also, installations of ConferenceRoom that don't use the
network services module aren't vulnerable.

        We advise all customers using releases of ConferenceRoom prior to 1.8.2a to
upgrade to 1.8.2a for a variety of reasons. This upgrade is free to all
customers and is available for download from
http://www.webmaster.com/update.shtml

> If your irc server using Conference Room 1.8.2x
> "/ns buddy on" can't run, cuz professional edt. can't support
> "buddy" command.
> Register it one channel, and type it commands "/ns set authorize
> chanlists on",
> "/cs aop <#ChannelName> add <NickName>", "/ns auth accept 1".
> and the services crashes.

        I spoke to the services team, and they did receive a report alleging a
crash scenario similar to this one. To date, they have been unable to
replicate it. I attempted to replicate the scenario above, as did several of
our testers on a variety of versions (1.8.2, 1.8.2a and 1.8.2b) and on a
variety of platforms (WIN32, Linux, and Solaris). None of us has been able
to replicate this problem using the procedure described above.

        Inspection of the code involved in the 'ns auth accept' command handler did
not reveal any suspicious code. In addition, this code functions identically
in the Enterprise and Professional Editions, so it's hard to understand how
such an exploit would work on one and not on the other.

        If anybody believes they can replicate this vulnerability and would like to
attempt it on a test server, please contact me at <davids () webmaster com>. If
any customers are experiencing problems, please contact customer support
<support () webmaster com>. We can easily provide a version of services with
these commands removed.

> Only a "/servstart" issued by an ircop or admin will return the
> services to
> normal functionality and connect to server.

        The services subsystem can be configured for automatic restart. If
automatic restart is enabled, there is no need for a "/servstart" to restore
the lost funcionality.  The automatic restart functions identically to the
"servstart" command. We have confirmed that automatic restart functions as
expected with the exploit in 1.8.1.

        It should also be explicitly noted that events in progress are not
disrupted by services interruptions. Only the registration and management
features provided by the services subsystem are affected.

        Customers with concerns about this vulnerability or who would like
assistance with the upgrade process should contact WebMaster's technical
support at <support () webmaster com>.

        David Schwartz
        CTO
        WebMaster, Incorporated