lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJLR_SW9GbfyUjSf6CjyZvs_te7zZ7phkJOyFnj6nr3LM4sgpQ@mail.gmail.com>
Date: Wed, 20 Feb 2013 15:09:05 +0200
From: demetris papapetrou <demetrispapapetrou@...il.com>
To: bugtraq@...urityfocus.com
Subject: Alt-N MDaemon's WorldClient Predictable Session ID Vulnerability

======================================================================
   Alt-N MDaemon's WorldClient Predictable Session ID Vulnerability
======================================================================

Software:  Alt-N MDaemon v13.0.3 and prior versions
Vendor: http://www.altn.com/
Vuln Type: Session ID Prediction
Remote: Yes
Local: No
Discovered by: QSecure and Demetris Papapetrou
References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_Predictable_Session_ID.html
Discovered: 25/07/2012
Reported: 19/12/2012
Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html)
Disclosed: 18/02/2013

VULNERABILITY DESCRIPTION:
==========================
Alt-N WorldClient is the web interface of the MDaemon email server. It
has been identified that application session state is not maintained
by the user's session cookie but by the URL "Session" parameter
instead. This parameter is transmitted with every user request sent to
the WorldClient web application and under certain circumstances future
session IDs can be successfully predicted.

The use of predictable session IDs for authentication makes
WorldClient prone to session hijacking attacks. If the attacker can
generate a current valid session ID then he/she may be able to access
webmail accounts without possessing a valid username/password. The
impact of the attack is significantly reduced because WorldClient
associates the client's IP address with each session ID produced.
However, certain network setups or other scenarios may exist that
could render the IP restriction ineffective.

Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable;
other versions may also be affected.

Pre-Requisites:
---------------
1) The attacker needs to get a current or expired session ID.
       a) Google Search: "WorldClient.dll?Session="
       b) Steal an HTTP request and observe the Referer field
2) The MDaemon service or the machine has not been restarted since the
captured session ID was generated (There may be a way to deal with
this but further research is needed).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ