====================================================================== Alt-N MDaemon's WorldClient Predictable Session ID Vulnerability ====================================================================== Software: Alt-N MDaemon v13.0.3 and prior versions Vendor: http://www.altn.com/ Vuln Type: Session ID Prediction Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_Predictable_Session_ID.html Discovered: 25/07/2012 Reported: 19/12/2012 Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html) Disclosed: 18/02/2013 VULNERABILITY DESCRIPTION: ========================== Alt-N WorldClient is the web interface of the MDaemon email server. It has been identified that application session state is not maintained by the user's session cookie but by the URL "Session" parameter instead. This parameter is transmitted with every user request sent to the WorldClient web application and under certain circumstances future session IDs can be successfully predicted. The use of predictable session IDs for authentication makes WorldClient prone to session hijacking attacks. If the attacker can generate a current valid session ID then he/she may be able to access webmail accounts without possessing a valid username/password. The impact of the attack is significantly reduced because WorldClient associates the client's IP address with each session ID produced. However, certain network setups or other scenarios may exist that could render the IP restriction ineffective. Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected. Pre-Requisites: --------------- 1) The attacker needs to get a current or expired session ID. a) Google Search: "WorldClient.dll?Session=" b) Steal an HTTP request and observe the Referer field 2) The MDaemon service or the machine has not been restarted since the captured session ID was generated (There may be a way to deal with this but further research is needed).