MDaemon New File Creation Local Privilege Escalation

2004-11-29T11:02:48
ID OSVDB:12158
Type osvdb
Reporter RedTeam Pentesting(), KF(dotslash@snosoft.com)
Modified 2004-11-29T11:02:48

Description

Vulnerability Description

Alt-N MDaemon contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a new file is created, which opens a notepad window. Then, using the new notepad window, cmd.exe is opened from the Windows Directory, which will open a command shell with System privileges. This flaw may lead to a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:

Change the service so that it can not interact with the desktop, this would prevent the GUI from showing up. Instead use the MDaemon ghost option; this will launch the GUI under the users account, rather than the system account.

Short Description

Alt-N MDaemon contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a new file is created, which opens a notepad window. Then, using the new notepad window, cmd.exe is opened from the Windows Directory, which will open a command shell with System privileges. This flaw may lead to a loss of integrity.

Manual Testing Notes

  1. Double click on the mail icon in the Taskbar to open the Alt-N MDaemon Pro window.
  2. Click File, click New
  3. Notepad should open. In Notepad click File, click Open
  4. In the Files of type: field choose All Files
  5. Navagate to %WINDIR%\System32\
  6. Right click cmd.exe and choose Open
  7. A new command shell will open with SYSTEM privileges

References:

Vendor URL: http://www.mdaemon.com/ Security Tracker: 1012350 Secunia Advisory ID:13225 Other Advisory URL: http://www.securiteam.com/windowsntfocus/5TP0G2AGKI.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-11/0385.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-11/1353.html