-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


TTG0602 - Alt-N WebAdmin MDaemon Account Hijacking

RELEASE DATE:
September 4, 2006

VENDOR:
Alt-N Technologies ( http://www.altn.com )

VULNERABLE:
Tested on Alt-N WebAdmin v3.2.5 running
with MDaemon v9.0.6, earlier versions are
suspected vulnerable as well

SEVERITY:
Domain administrators within the default domain
can take over the "MDaemon" system account, which
could lead to compromise of sensitive data

OS:
Microsoft Windows XP/2000/2003



SUMMARY

WebAdmin is a remote administration utility which allows administrators to
manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this
has become a standard module for the company's MDaemon mail server, altough
it remains available independently as well.

It is possible for a domain administrator within the default domain of a
MDaemon server to gain access to the server's "MDaemon" account through the
WebAdmin. This is the account which processes remote server and mailinglist
commands, which are authenticated by putting a user's email address and
password in the subject field of a message.

By taking over this account and enabling mail access to it a malicious
domain administrator could gain access to the system queue, the contents of
which are by default only stored on disk and not accessible.

It is important to note that this queue processes the messages for all
domains on the server, not just the local one.



DETAILS

Within the MDaemon structure, domain administrators are users which are
allowed to manage accounts for a specific domain on the server. While the
"MDaemon" account is not available or even visible for modification in the
WebAdmin interface, it's details can be accessed through sending a specially
constructed url to the useredit_account.wdm module.

Access to it's settings are still restricted when called in this way.
However,
it is possible to rename the mailbox to which this account directs it's
queue.
By now creating a new account with the details of original MDaemon account
and enabling mail access to it, the messages destined for the server account
can be read through a regular mail interface while they're stored until
processed.

This account will now also be recognized as the system account by the server
and the original MDaemon user, now just a regular account, can be deleted by
the domain administrator to cover his tracks.



IMPACT

The impact of this vulnerability in a small environment using only trusted
administrators is low. In larger environments were one to trust on WebAdmin's
user restrictions the impact of mentioned problems is larger, as they could
allow further compromise of accounts on any domain, not just the local one,
on the server.



FIX

WebAdmin v3.2.5 was released on August 18 in response to earlier reported
vulnerabilities(1). In testing, it was found that while previous issues were
fixed, this version still did not completely curtail access to the MDaemon
account for some users.

The vendor was notified of this on August 24th and WebAdmin v3.2.6(2) was
issued on August 30th. This update has been confirmed to fix this matter by
ourselves on September 1st and we waited until after the weekend to release
this to facilitate updating.



REFERENCES

(1) TTG0601 - Alt-N WebAdmin Multiple Vulnerabilities
http://www.teklow.com/advisories/TTG0601.txt

(2) WebAdmin Server v3.2.6 Release Notes
http://files.altn.com/WebAdmin/Release/RelNotes_en.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD8DBQFE/If1XSyYXTPz6J0RAnUEAJ44uUgIr1Ocnl09wbPFx5ulZhVhxACeOi4g
ODlCA1WIwRNGnLg+d9LGZtU=
=Wame
-----END PGP SIGNATURE-----