-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TTG0601 - Alt-N WebAdmin Multiple Vulnerabilities

RELEASE DATE:
August 21st, 2006

VENDOR:
Alt-N Technologies ( http://www.altn.com )

VULNERABLE:
Tested on Alt-N WebAdmin v3.2.3/3.2.4 running
with MDaemon v9.0.5, earlier versions are
suspected vulnerable as well

SEVERITY:
Authenticated users have access to higher level
accounts and files on the server

OS:
Microsoft Windows XP/2000/2003



SUMMARY

WebAdmin is a remote administration utility which allows administrators to
manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this
has become a standard module for the company's MDaemon mail server, altough
it remains available independently as well.

The WebAdmin product page touts it's configurable access rights feature.
However, tested versions have been found vulnerable to a privilege elevation
vulnerability which could lead to compromise of the mail server and which,
in combination with insufficient input sanitation in some of it's modules,
could allow malicious users access to sensitive files on the server.

This includes the system's weakly encoded password file.



DETAILS

Due to input to the administrative interface's logfile_view.wdm and
configfile_view.wdm files not being properly sanitized, authenticated global
administrators are allowed access to the underlying filesystem like so:

http://mdaemon:1000/configfile_view.wdm?file=../../autoexec.bat
http://mdaemon:1000/logfile_view.wdm?type=webadmin&file=../../App/userlist.dat

Note that this is not a service offered by the administrative interface
itself.
Also of note is that the second example retrieves the server's password file
which, as noted earlier by Obscure(1), is easily decodable.

Mitigating this problem is the fact that the user has to be a global
administrator to be allowed access to logfile_view.vdm and
configfile_view.vdm.

It has also been found however that while the web interface appears to
distinguish between user levels (namely global administrator and domain
administrator) and indeed touts this ability on it's product page, all
authenticated administrators within the same domain regardless of level are
allowed to modify all user accounts and passwords through userlist.wdm,
including the details and passwords of global administrator accounts.



IMPACT

The impact of these vulnerabilities in a small environment using only trusted
administrators is low if the default HTTP solution is not used. In larger
environments were one to trust on WebAdmin's user restrictions the impact of
mentioned problems is larger, as they effectively allow third parties
unauthorized access to the full mail server configuration and the file
system below.



WORKAROUNDS

It is suggested that administrators do not access the administrative
interface over it's own server and as such the inherently insecure HTTP
protocol, but install it on another, SSL capable server.

Also, it would be wise to not allow regular users access to their domain
configurations through the administrative interface, no matter the server.



FIX

Vendor was notified and response was swift. First contact was established
on August 14 and WebAdmin 3.25 which fixes these issues(2) was made available
on August 18.



REFERENCES

(1) Multiple Vulnerabilities in MDaemon + WorldClient by Obscure of Eye
on Security
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html

(2) WebAdmin Server v3.25 Release Notes
http://files.altn.com/WebAdmin/Release/RelNotes_en.txt



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE6gCIXSyYXTPz6J0RAjMWAJ9GQQCuzP0zngp3lNQ7hg3ODfoo+ACfYiqV
81UXnzFz5McMyXdC6Cr6Uc0=
=pqQg
-----END PGP SIGNATURE-----