[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1ec620e90609041349ld0e541dme9425e8a7529ca1a@mail.gmail.com>
Date: Mon, 4 Sep 2006 13:49:42 -0700
From: "Robert Kim Wireless Internet Advisor" <evdo.hsdpa@...il.com>
To: TTG <releases@...low.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: TTG0602 - Alt-N WebAdmin MDaemon Account
Hijacking
where can i find a updates summary that show what some of the new
features are? bob
> TTG0602 - Alt-N WebAdmin MDaemon Account Hijacking
>
> RELEASE DATE:
> September 4, 2006
> VULNERABLE:
> Tested on Alt-N WebAdmin v3.2.5 running
> with MDaemon v9.0.6, earlier versions are
> suspected vulnerable as well
>
> SEVERITY:
> Domain administrators within the default domain
> can take over the "MDaemon" system account, which
> could lead to compromise of sensitive data
>
> OS:
> Microsoft Windows XP/2000/2003
>
>
>
> SUMMARY
>
> WebAdmin is a remote administration utility which allows administrators to
> manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this
> has become a standard module for the company's MDaemon mail server, altough
> it remains available independently as well.
>
> It is possible for a domain administrator within the default domain of a
> MDaemon server to gain access to the server's "MDaemon" account through the
> WebAdmin. This is the account which processes remote server and mailinglist
> commands, which are authenticated by putting a user's email address and
> password in the subject field of a message.
>
> By taking over this account and enabling mail access to it a malicious
> domain administrator could gain access to the system queue, the contents of
> which are by default only stored on disk and not accessible.
>
> It is important to note that this queue processes the messages for all
> domains on the server, not just the local one.
>
>
>
> DETAILS
>
> Within the MDaemon structure, domain administrators are users which are
> allowed to manage accounts for a specific domain on the server. While the
> "MDaemon" account is not available or even visible for modification in the
> WebAdmin interface, it's details can be accessed through sending a specially
> constructed url to the useredit_account.wdm module.
>
> Access to it's settings are still restricted when called in this way.
> However,
> it is possible to rename the mailbox to which this account directs it's
> queue.
> By now creating a new account with the details of original MDaemon account
> and enabling mail access to it, the messages destined for the server account
> can be read through a regular mail interface while they're stored until
> processed.
>
> This account will now also be recognized as the system account by the server
> and the original MDaemon user, now just a regular account, can be deleted by
> the domain administrator to cover his tracks.
>
>
>
> IMPACT
>
> The impact of this vulnerability in a small environment using only trusted
> administrators is low. In larger environments were one to trust on WebAdmin's
> user restrictions the impact of mentioned problems is larger, as they could
> allow further compromise of accounts on any domain, not just the local one,
> on the server.
>
>
>
> FIX
>
> WebAdmin v3.2.5 was released on August 18 in response to earlier reported
> vulnerabilities(1). In testing, it was found that while previous issues were
> fixed, this version still did not completely curtail access to the MDaemon
> account for some users.
>
> The vendor was notified of this on August 24th and WebAdmin v3.2.6(2) was
> issued on August 30th. This update has been confirmed to fix this matter by
> ourselves on September 1st and we waited until after the weekend to release
> this to facilitate updating.
>
--
Robert Q Kim, Wireless Internet Advisor
http://evdo-coverage.com/satellite-wireless-internet.html
http://wimax-coverage.com
2611 S. Pacific Coast Highway 101
Suite 203
Cardiff by the Sea, CA 92007
206 984 0880
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists