Debian Bug report logs - #616052
opendchub: Daemon resets config file to defaults, allowing remote admin with a default password by default

version graph

Package: opendchub; Maintainer for opendchub is Zak B. Elep <zakame@zakame.net>;

Reported by: Jeremy Salwen <jeremysalwen@gmail.com>

Date: Wed, 2 Mar 2011 07:12:02 UTC

Severity: grave

Tags: security

Found in version opendchub/0.8.2-2

Fixed in version 0.8.2-2+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jeremysalwen@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, zakame@zakame.net (Zak B. Elep):
Bug#616052; Package opendchub. (Wed, 02 Mar 2011 07:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jeremy Salwen <jeremysalwen@gmail.com>:
New Bug report received and forwarded. Copy sent to jeremysalwen@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, zakame@zakame.net (Zak B. Elep). (Wed, 02 Mar 2011 07:12:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jeremy Salwen <jeremysalwen@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: opendchub: Daemon resets config file to defaults, allowing remote admin with a default password by default
Date: Wed, 02 Mar 2011 02:08:33 -0500
Package: opendchub
Version: 0.8.2-2
Severity: grave
Tags: security
Justification: user security hole

opendchub will overwrite the /etc/opendchub/config file every time it is
restarted.  The defaults include a default administrative password (which is
always the same), and also (perhaps more critically) enables remote
administration by default.  No indication is given that this has happened, and
it might appear to a user that their changed password or server settings have
been taken into effect.

To test this, it is very simple.

modify /etc/opendchub/config

$sudo nano /etc/opendchub/config

modify the admin password, or some other option

restart the daemon

$sudo invoke-rc.d opendchub restart

which outputs

Stopping DC++ server: opendchub.
Starting DC++ server: opendchub.

Then, look at the configuration file again:

$sudo nano /etc/opendchub/config

all of your customizations to the file are overwritten.

I might report this as a normal bug, but it seems to be a security
vulnerability, as essentially the hub is controllable by anyone in the same
network as the machine, even if the user has specified otherwise, and they are
given no indication that their settings have been ignored.



-- System Information:
Debian Release: 6.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages opendchub depends on:
ii  adduser                       3.112+nmu2 add and remove users and groups
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  libcap2                       1:2.19-3   support for getting/setting POSIX.
ii  libperl5.10                   5.10.1-17  shared Perl library

opendchub recommends no packages.

opendchub suggests no packages.

-- Configuration Files:
/etc/opendchub/config [Errno 13] Permission denied: u'/etc/opendchub/config'
/etc/opendchub/motd [Errno 13] Permission denied: u'/etc/opendchub/motd'

-- no debconf information




Added indication that bug 616052 blocks 619117 Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 06 May 2011 20:33:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Zak B. Elep <zakame@zakame.net>:
Bug#616052; Package opendchub. (Sat, 07 May 2011 12:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@debian.org>:
Extra info received and forwarded to list. Copy sent to Zak B. Elep <zakame@zakame.net>. (Sat, 07 May 2011 12:48:03 GMT) Full text and rfc822 format available.

Message #12 received at 616052@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@debian.org>
To: Zak B. Elep <zakame@zakame.net>
Cc: 616052@bugs.debian.org
Subject: Still interested in maintaining opendchub in Debian?
Date: Sat, 07 May 2011 14:45:39 +0200
Hi,

I noticed that this bug has been open for a while and that the Git
repository used for maintaining the package[1] is no longer available.

For these reasons, I am wondering whether you are still interested in
maintaining opendchub in Debian or not.

Regards,
Ansgar

[1] <git://code.zakame.net/git/opendchub.git>
    <http://code.zakame.net/opendchub.git>




Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 04 Mar 2012 11:17:55 GMT) Full text and rfc822 format available.

Notification sent to Jeremy Salwen <jeremysalwen@gmail.com>:
Bug acknowledged by developer. (Sun, 04 Mar 2012 11:18:00 GMT) Full text and rfc822 format available.

Message #17 received at 616052-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 384876-done@bugs.debian.org,599025-done@bugs.debian.org,616052-done@bugs.debian.org,634467-done@bugs.debian.org,655955-done@bugs.debian.org,
Cc: opendchub@packages.debian.org, opendchub@packages.qa.debian.org
Subject: Bug#662069: Removed package(s) from unstable
Date: Sun, 04 Mar 2012 11:03:30 +0000
Version: 0.8.2-2+rm

Dear submitter,

as the package opendchub has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/662069

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Joerg Jaspert (the ftpmaster behind the curtain)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:48:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:07:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.