Alt-N WebAdmin MDaemon Account Hijacking

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TTG0602 - Alt-N WebAdmin MDaemon Account Hijacking

RELEASE DATE:
September 4, 2006

VENDOR:
Alt-N Technologies ( http://www.altn.com )

VULNERABLE:
Tested on Alt-N WebAdmin v3.2.5 running
with MDaemon v9.0.6, earlier versions are
suspected vulnerable as well

SEVERITY:
Domain administrators within the default domain
can take over the "MDaemon" system account, which
could lead to compromise of sensitive data

OS:
Microsoft Windows XP/2000/2003

SUMMARY

WebAdmin is a remote administration utility which allows administrators to
manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this
has become a standard module for the company's MDaemon mail server,
altough
it remains available independently as well.

It is possible for a domain administrator within the default domain of a
MDaemon server to gain access to the server's "MDaemon" account through
the
WebAdmin. This is the account which processes remote server and
mailinglist
commands, which are authenticated by putting a user's email address and
password in the subject field of a message.

By taking over this account and enabling mail access to it a malicious
domain administrator could gain access to the system queue, the contents
of
which are by default only stored on disk and not accessible.

It is important to note that this queue processes the messages for all
domains on the server, not just the local one.

DETAILS

Within the MDaemon structure, domain administrators are users which are
allowed to manage accounts for a specific domain on the server. While the
"MDaemon" account is not available or even visible for modification in the
WebAdmin interface, it's details can be accessed through sending a
specially
constructed url to the useredit_account.wdm module.

Access to it's settings are still restricted when called in this way.
However,
it is possible to rename the mailbox to which this account directs it's
queue.
By now creating a new account with the details of original MDaemon account
and enabling mail access to it, the messages destined for the server
account
can be read through a regular mail interface while they're stored until
processed.

This account will now also be recognized as the system account by the
server
and the original MDaemon user, now just a regular account, can be deleted
by
the domain administrator to cover his tracks.

IMPACT

The impact of this vulnerability in a small environment using only trusted
administrators is low. In larger environments were one to trust on
WebAdmin's
user restrictions the impact of mentioned problems is larger, as they
could
allow further compromise of accounts on any domain, not just the local
one,
on the server.

FIX

WebAdmin v3.2.5 was released on August 18 in response to earlier reported
vulnerabilities(1). In testing, it was found that while previous issues
were
fixed, this version still did not completely curtail access to the MDaemon
account for some users.

The vendor was notified of this on August 24th and WebAdmin v3.2.6(2) was
issued on August 30th. This update has been confirmed to fix this matter
by
ourselves on September 1st and we waited until after the weekend to
release
this to facilitate updating.

REFERENCES

(1) TTG0601 - Alt-N WebAdmin Multiple Vulnerabilities
http://www.teklow.com/advisories/TTG0601.txt

(2) WebAdmin Server v3.2.6 Release Notes
http://files.altn.com/WebAdmin/Release/RelNotes_en.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFE/If1XSyYXTPz6J0RAnUEAJ44uUgIr1Ocnl09wbPFx5ulZhVhxACeOi4g
ODlCA1WIwRNGnLg+d9LGZtU=
=Wame
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Alt-N WebAdmin MDaemon Account Hijacking