DoomServ security hole

[aurikan]

Toke said:

Dear Toke:

To respond to some of your accusations,

I'm no big fan of DoomServ. TGO seems to have a lack of concern with the security or perhaps it bothers me that he seems not to grasp just how serious this. Obviously, I believe he should release the client open-source or at least publish details about the protocol in order to encourage peer review.

I might have booted you off of #doomroom, but that is entirely irrelevant to this issue. That episode must have been months ago; I don't even remember it. However I'm not saying that it didn't happen - just that it has no impact.

The bouncing of the email was not intentional. You have no basis to make this accusation, or, if you do have hard evidence, please present it so that everyone may audit it. In addition, your sweeping statement about what the 'good thing' to do is not an established premise. In fact, that is the same topic that cph addressed when he posted the link.

You accuse me of doing this to 'look good'. Again, you have no basis to make this accusation. I am, indeed, perhaps a touch motivated for a desire for fame. However this had little or nothing to do with the ultimate decision to fully disclose the details of the exploit. I will admit to logging on via telnet - a network tool that comes with all (?) major Operating Systems - and examining the received data and to interface with the server. Other methods I used to glean these commands were similarly simple, like searching the binary with a hex-editor, or watching what the client sent out with a packet sniffer.

I can confirm that I was logged on as PinkFish, however it was not me that booted you off the server. In fact this exploit provides no direct way to kick other people off the server. I don't believe I ever said anything along the lines of "cheap visual basic skills", perhaps it was someone else operating under the guise of anonymity? I also never messed with people's profiles. Even TGO would confirm that the profile is (as far as i reasoned) stored locally and sent to the server only on join and update. Therefore to mess with their profile I would need access to their DoomServ client, which is perhaps roundaboutly possible with this exploit, however the only person I ever attacked in this method was my clone, for testing purposes.

You claim to have screenshots of me doing this. I for one would like to see them. I'm sure a host of people would be happy to put them up somewhere for general consumption on the web. What you are doing is CLAIMING you have evidence and drawing conclusions based on what you claim, and then not showing any evidence you have boasted to have.

Anyway Toke, in summary I find your argument to be ... full of holes would be an understatement. You supposedly have a lot of evidence, and yet the only reason you can offer for not showing it is because you are far too busy -- yet you seem to find a lot of time to waste away on DoomServ. Or since that is temporarily offline, to waste posting in these forums. You accuse me and my motivations with no evidence to back up the accusations.

If you have a real point to make, please do.

andy

[aurikan]

fod vile said:

i wonder if any of the others you "tried to email" ever got theirs?

I can only assume that news@doomworld.com got theirs, and I received the copy i sent back to myself. Covaro, if you're reading this: did you get a copy of the letter i sent to doomworld.com? And if so, did it include thegr81@adweb in the To: field?

[aurikan]

Toke said:

There was more than one hacker, Aurikan was one. It could have been him that said he was fiffy but I have no proof.

I never misrepresented myself as fiffy

[stphrz]

Ok. That's all I wanted to know. Whoever did misrepresent himself is a real low-born bastard, far far worse than Fiffy could ever be.

[Guest TGO]

aurikan said:

TGO,

I tried to send it to you and a number of people simultaneously before i posted it. Hoever, the email address i gleaned from the doomserv2000 page must be out of date (thegr81@adweb.com?)

aur

This would of been an error on my part.. I apologize.. the address will be corrected as soon as possible..

[Islebot]

Toke said:

And what is doomserv

A secrity hole ridden pece of crap

[Arioch]

Toke said:

He could have kept it quiet and everyone would have been happy

"
1) By installing this program, the user acknowledges that this program can potentially enable hackers to use the user's computer to commit heinous crimes against the greater community of Internet users. The user also absolves the author of all culpability or responsibility, real or imagined, in any such situations.

2) The user realizes and acknowledges that this program could potentially be used by someone to maliciously hack into his or her computer and delete or otherwise modify his or her files. The user, by installing this program, automatically relinquishes any right to legal or civil recourse in case of damages to his or her computer. The author of the program does not recognize that such a problem in fact does exist with his program, and will not post that such a problem does exist, even if it does.

3) The user should have fun with the program, unless somebody is deleting his or her files."

--- DoomServ EULA

[Lüt]

You guys are weird. So there's a security problem, big whoop. Somebody fix it and get it out of the way.

I think if his initial emails bounced then he should have posted a public warning. However giving a 2-page tutorial on exactly how to do it... that was just plain stupid, and even Fiffy would know the consequences of that.

As for your personal problems with eachother, take it to email, that's what it's there for.

[Linguica]

My opinions about this whole thing:

"Shut up"

[Islebot]

amen

[Guest Templar]

Linguica said:

My opinions about this whole thing:

"Shut up"

I cant be bothered reading all this

[jon^c]

fodders said:

the old doomserver is down killed by aurican't but new one is out now so we can carry on playing doom again :)

This aurican't crap is annoying. Do shut up.

[Grul]

Linguica said:

My opinions about this whole thing:

"Shut up"

I must say that I totally agree... What a mess.

[aurikan]

Here's the latest twist, I'd just like all of you to know that I tried to load up DoomServ 4 Beta, just to see the new features and fixes TGO has implemented. Unfortunately, this IP (137.69.101.147), one of the IPs I performed research from in discovering the exploit, is (surprise surprise) banned.

This means that (unless I find an exploit which allows me to log in anyway) I cannot evaluate whether or not TGO has actually patched the security holes. Therefore I'd like to warn all current and potential future DoomServ users: beware! For that client might potentially allow a malicious user root access to your box.

.

[Megalyth]

You all need to stop whining and start considering the dangers that a security hole poses to all of your frad asses. Keep in mind that aurikan wasn't the only one in there doing that. Just consider yourselves lucky that it wasn't Toke who found the flaw, because all of your hard drives full of kiddie porn and Backstreet Boys MP3s would be fried right about now.

[Jon]

Toke said:

He could have kept it quiet and everyone would have been happy

No we wouldnt, we would simply be living in ignorance which is no better.

[Jon]

Toke said:

Fod is the nicest person in the doom comunity.

Nah thats prower- he's so cuddly.

[Jon]

fodders said:

along with most of what you was told in school i assume :)

I had to read this three times to get the gist of your little joke and by then it was entirely humourless. Much like it would have been had it been written grammatically correctly the first time!

[Jon]

fod vile said:

i wonder if any of the others you "tried to email" ever got theirs?

Perhaps you should read the posts through one more time. TGO clearly stated that the public email address was incorrect.

[Toke]

Megalyth said:

You all need to stop whining and start considering the dangers that a security hole poses to all of your frad asses. Keep in mind that aurikan wasn't the only one in there doing that. Just consider yourselves lucky that it wasn't Toke who found the flaw, because all of your hard drives full of kiddie porn and Backstreet Boys MP3s would be fried right about now.

Megalyth, if i had found this whole nothing bad would have happened. That has been there for 2 years and nothing happened. But 4 days before the new one comes out aurikan "saves our asses" (yeah right). Thats a bunch a bullshit. He was just trying to show off at his last chance. Damnit anyone who accualy believes that shit about him doing this in good nature is stupid, its so damn obviuos that this one done with malice. A 2 year old bug was gonna be gone in 4 days and he posts this. The only threat we had was from aurikan. God damnit stop saying he did something good. Tgo followed his instuctions and all it did was let him see and so things to his own computer. He didnt even think about the people that where on at the time that this could have been used aginst. He was on useing his knowledge to boot people then this post apears. Yeah, i believe he was doing us a favor (that was sarcasm for the cybs out there). Aurikan is a disturbed little shit (probably because of people making fun of his looks all his life) and now he is trying to take it out on people that cant do anything about it.

[Toke]

aurikan said:

Here's the latest twist, I'd just like all of you to know that I tried to load up DoomServ 4 Beta, just to see the new features and fixes TGO has implemented. Unfortunately, this IP (137.69.101.147), one of the IPs I performed research from in discovering the exploit, is (surprise surprise) banned.

This means that (unless I find an exploit which allows me to log in anyway) I cannot evaluate whether or not TGO has actually patched the security holes. Therefore I'd like to warn all current and potential future DoomServ users: beware! For that client might potentially allow a malicious user root access to your box.

.

There you go agin trying to bring down doomserv. Just dont talk about it anymore. Let people use at there own risk without you scaring them.

[Toke]

Linguica said:

My opinions about this whole thing:

"Shut up"

Im with Linguica, maybe you should delete this page.

[Toke]

Lüt said:

You guys are weird. So there's a security problem, big whoop. Somebody fix it and get it out of the way.

I think if his initial emails bounced then he should have posted a public warning. However giving a 2-page tutorial on exactly how to do it... that was just plain stupid, and even Fiffy would know the consequences of that.

As for your personal problems with eachother, take it to email, that's what it's there for.

You said it, it was dumb. To dumb for it to be a mistake by aurikan.

[Toke]

stphrz said:

Ok. That's all I wanted to know. Whoever did misrepresent himself is a real low-born bastard, far far worse than Fiffy could ever be.

Are you going to let him talk about you like that fraggle?

[Toke]

aurikan said:

You need to learn to bullshit better. You cant just show off knowledge like that wile TRYING TO DO SOMETHING GOOD wile at the same time releasing more information on how mess with doomserv and expect us to beleave it. You attempt to bring down doomserv is working so please stop. If you post any more information on how hack doomserv then it will really be obvious what you are trying to do. If made that bad of a "mistake" I wouldnt still be talking about it and trying to do it agin. We dont want your help, all we want is for you to leave us alone, stop telling people how to hack the server, and occasionaly choke. Is it that hard for you just to stop HELPING people that think your fag? Or are you hot for us?

As for booting incedent on doomserv there where 3 people on, me you and a newbie. You or tgo could have booted me and if tgo was there he would have booted you not me. That means:

Aurikan is a fucking lier

[Guest fod_vile]

aurikan said:

Here's the latest twist, I'd just like all of you to know that I tried to load up DoomServ 4 Beta, just to see the new features and fixes TGO has implemented. Unfortunately, this IP (137.69.101.147), one of the IPs I performed research from in discovering the exploit, is (surprise surprise) banned.

This means that (unless I find an exploit which allows me to log in anyway) I cannot evaluate whether or not TGO has actually patched the security holes. Therefore I'd like to warn all current and potential future DoomServ users: beware! For that client might potentially allow a malicious user root access to your box.

.

i wouldn't be suprised if your ip IS banned what do you expect? you hack a persons programme, cause malicious damage to someone and expect to be allowed on again? Who died and made you the protector of us all, i seriously doubt u even tried to get on, what you dont know is v4 server was down most of the 24hrs and it will have been a pretty lucky hit to have tried in the few mins it was up, so you post this and having no evidence that theres a security flaw you instantly jump on the "don't use doomserv bandwaggon" people are forgetting I seem to remember you admitting you wasn't the one who discovered the flaw, so why are you suddenly trying to cop all the glory? Give credit where it's due Aurikan't tell everyone who told YOU how to do it
I would enter into a battle of wits with you man , but i refuse to fight an unarmed man

[aurikan]

Toke said:

I don't know if TGO was actually able to reproduce exploit. However, I can assure you it exists.

[aurikan]

Toke said:

There you go agin trying to bring down doomserv. Just dont talk about it anymore. Let people use at there own risk without you scaring them.

I really have no stake in this.

However, it is wrong to allow people to use this product without properly advertising the adverse effects it can have upon the system. Because it is closed and TGO discourages our peer review (along with you dumb little shits from doomserv), perhaps he should advertise that they may be exploits which hackers could use to damage their systems while they run these programs

[Guest fod_vile]

Teppic said:

Perhaps you should read the posts through one more time. TGO clearly stated that the public email address was incorrect.

Tepid your really begining to get on my tits now
If YOU read the POSTS you would have seen I had posted the msg about email 2 hours before TGO (all hail the great one) had posted he had made an error in his email link

[aurikan]

Toke said:

You said it, it was dumb. To dumb for it to be a mistake by aurikan.

It wasn't a mistake...if you read the article that cph posted a link to, you'll see that full disclosure is a technique used to uncover and patch exploits - by describing the exact details, the programmer(s) will understand exactly what bug(s) the exploit utilises. It's like a really detailed bug report.