Alt-N WebAdmin MDaemon Account Hijacking

2006.09.08
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Remote
Attack complexity: High
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TTG0602 - Alt-N WebAdmin MDaemon Account Hijacking RELEASE DATE: September 4, 2006 VENDOR: Alt-N Technologies ( http://www.altn.com ) VULNERABLE: Tested on Alt-N WebAdmin v3.2.5 running with MDaemon v9.0.6, earlier versions are suspected vulnerable as well SEVERITY: Domain administrators within the default domain can take over the "MDaemon" system account, which could lead to compromise of sensitive data OS: Microsoft Windows XP/2000/2003 SUMMARY WebAdmin is a remote administration utility which allows administrators to manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this has become a standard module for the company's MDaemon mail server, altough it remains available independently as well. It is possible for a domain administrator within the default domain of a MDaemon server to gain access to the server's "MDaemon" account through the WebAdmin. This is the account which processes remote server and mailinglist commands, which are authenticated by putting a user's email address and password in the subject field of a message. By taking over this account and enabling mail access to it a malicious domain administrator could gain access to the system queue, the contents of which are by default only stored on disk and not accessible. It is important to note that this queue processes the messages for all domains on the server, not just the local one. DETAILS Within the MDaemon structure, domain administrators are users which are allowed to manage accounts for a specific domain on the server. While the "MDaemon" account is not available or even visible for modification in the WebAdmin interface, it's details can be accessed through sending a specially constructed url to the useredit_account.wdm module. Access to it's settings are still restricted when called in this way. However, it is possible to rename the mailbox to which this account directs it's queue. By now creating a new account with the details of original MDaemon account and enabling mail access to it, the messages destined for the server account can be read through a regular mail interface while they're stored until processed. This account will now also be recognized as the system account by the server and the original MDaemon user, now just a regular account, can be deleted by the domain administrator to cover his tracks. IMPACT The impact of this vulnerability in a small environment using only trusted administrators is low. In larger environments were one to trust on WebAdmin's user restrictions the impact of mentioned problems is larger, as they could allow further compromise of accounts on any domain, not just the local one, on the server. FIX WebAdmin v3.2.5 was released on August 18 in response to earlier reported vulnerabilities(1). In testing, it was found that while previous issues were fixed, this version still did not completely curtail access to the MDaemon account for some users. The vendor was notified of this on August 24th and WebAdmin v3.2.6(2) was issued on August 30th. This update has been confirmed to fix this matter by ourselves on September 1st and we waited until after the weekend to release this to facilitate updating. REFERENCES (1) TTG0601 - Alt-N WebAdmin Multiple Vulnerabilities http://www.teklow.com/advisories/TTG0601.txt (2) WebAdmin Server v3.2.6 Release Notes http://files.altn.com/WebAdmin/Release/RelNotes_en.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFE/If1XSyYXTPz6J0RAnUEAJ44uUgIr1Ocnl09wbPFx5ulZhVhxACeOi4g ODlCA1WIwRNGnLg+d9LGZtU= =Wame -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top