-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TTG0601 - Alt-N WebAdmin Multiple Vulnerabilities RELEASE DATE: August 21st, 2006 VENDOR: Alt-N Technologies ( http://www.altn.com ) VULNERABLE: Tested on Alt-N WebAdmin v3.2.3/3.2.4 running with MDaemon v9.0.5, earlier versions are suspected vulnerable as well SEVERITY: Authenticated users have access to higher level accounts and files on the server OS: Microsoft Windows XP/2000/2003 SUMMARY WebAdmin is a remote administration utility which allows administrators to manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this has become a standard module for the company's MDaemon mail server, altough it remains available independently as well. The WebAdmin product page touts it's configurable access rights feature. However, tested versions have been found vulnerable to a privilege elevation vulnerability which could lead to compromise of the mail server and which, in combination with insufficient input sanitation in some of it's modules, could allow malicious users access to sensitive files on the server. This includes the system's weakly encoded password file. DETAILS Due to input to the administrative interface's logfile_view.wdm and configfile_view.wdm files not being properly sanitized, authenticated global administrators are allowed access to the underlying filesystem like so: http://mdaemon:1000/configfile_view.wdm?file=../../autoexec.bat http://mdaemon:1000/logfile_view.wdm?type=webadmin&file=../../App/userlist.dat Note that this is not a service offered by the administrative interface itself. Also of note is that the second example retrieves the server's password file which, as noted earlier by Obscure(1), is easily decodable. Mitigating this problem is the fact that the user has to be a global administrator to be allowed access to logfile_view.vdm and configfile_view.vdm. It has also been found however that while the web interface appears to distinguish between user levels (namely global administrator and domain administrator) and indeed touts this ability on it's product page, all authenticated administrators within the same domain regardless of level are allowed to modify all user accounts and passwords through userlist.wdm, including the details and passwords of global administrator accounts. IMPACT The impact of these vulnerabilities in a small environment using only trusted administrators is low if the default HTTP solution is not used. In larger environments were one to trust on WebAdmin's user restrictions the impact of mentioned problems is larger, as they effectively allow third parties unauthorized access to the full mail server configuration and the file system below. WORKAROUNDS It is suggested that administrators do not access the administrative interface over it's own server and as such the inherently insecure HTTP protocol, but install it on another, SSL capable server. Also, it would be wise to not allow regular users access to their domain configurations through the administrative interface, no matter the server. FIX Vendor was notified and response was swift. First contact was established on August 14 and WebAdmin 3.25 which fixes these issues(2) was made available on August 18. REFERENCES (1) Multiple Vulnerabilities in MDaemon + WorldClient by Obscure of Eye on Security http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html (2) WebAdmin Server v3.25 Release Notes http://files.altn.com/WebAdmin/Release/RelNotes_en.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE6gCIXSyYXTPz6J0RAjMWAJ9GQQCuzP0zngp3lNQ7hg3ODfoo+ACfYiqV 81UXnzFz5McMyXdC6Cr6Uc0= =pqQg -----END PGP SIGNATURE-----