MDaemon Insecure Default Directory Permissions

2006.11.22
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

====================================================================== Secunia Research 16/11/2006 - MDaemon Insecure Default Directory Permissions - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * MDaemon 9.0.5, 9.0.6, 9.51, and 9.53. NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Less critical Impact: Privilege Escalation Where: Local system ====================================================================== 3) Vendor's Description of Software "Now featuring spam traps, custom scheduling, email queuing, and a host of other new features and enhancements. MDaemon email server for Windows is the best choice for managing your organization's messaging and collaboration infrastructure.". Product Link: http://www.altn.com/Products/Default.asp?product_id=MDaemon ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a security issue in MDaemon, which can be exploited by malicious, local users to gain escalated privileges. The problem is caused due to the application by default being installed in the "MDaemon" folder in the system root with insecure permissions (granting members of the "Users" group permissions to create files and directories). This can be exploited by e.g. placing a malicious RASAPI32.DLL or MPRAPI.DLL library in the "MDaemonAPP" directory. Successful exploitation allows execution of arbitrary code with SYSTEM privileges. NOTE: This is a general problem for the majority of Windows applications when installed outside the "Program Files" folder due to the way libraries are located. Also, fans of "Colossal Cave Adventure" should try sending the commands: "XYZZ" and "PLUG" to the POP3 service or "XYZZY" and "PLUGH" to the ODMR service (port 366/TCP). ====================================================================== 5) Solution Set secure permissions on the directory or install in the "Program Files" folder (according to the vendor, this should not have an impact on the functionality of the application). ====================================================================== 6) Time Table 29/08/2006 - Vendor notified. 31/08/2006 - Vendor response. 24/10/2006 - Vendor issues version 9.5.0, which does not address the security issue correctly (just checks for the presence of RASAPI32.DLL in the application folder). 26/10/2006 - Vendor contacted again. 31/10/2006 - Vendor response. 16/11/2006 - Public disclosure. ====================================================================== 7) Credits Discovered by Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has not currently assigned a CVE identifier for the security issue. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-67/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top