`-----BEGIN PGP SIGNED MESSAGE-----
TTG0601 - Alt-N WebAdmin Multiple Vulnerabilities
August 21st, 2006
Alt-N Technologies ( http://www.altn.com )
Tested on Alt-N WebAdmin v3.2.3/3.2.4 running
with MDaemon v9.0.5, earlier versions are
suspected vulnerable as well
Authenticated users have access to higher level
accounts and files on the server
Microsoft Windows XP/2000/2003
WebAdmin is a remote administration utility which allows administrators to
manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this
has become a standard module for the company's MDaemon mail server, altough
it remains available independently as well.
The WebAdmin product page touts it's configurable access rights feature.
However, tested versions have been found vulnerable to a privilege elevation
vulnerability which could lead to compromise of the mail server and which,
in combination with insufficient input sanitation in some of it's modules,
could allow malicious users access to sensitive files on the server.
This includes the system's weakly encoded password file.
Due to input to the administrative interface's logfile_view.wdm and
configfile_view.wdm files not being properly sanitized, authenticated global
administrators are allowed access to the underlying filesystem like so:
Note that this is not a service offered by the administrative interface
Also of note is that the second example retrieves the server's password file
which, as noted earlier by Obscure(1), is easily decodable.
Mitigating this problem is the fact that the user has to be a global
administrator to be allowed access to logfile_view.vdm and
It has also been found however that while the web interface appears to
distinguish between user levels (namely global administrator and domain
administrator) and indeed touts this ability on it's product page, all
authenticated administrators within the same domain regardless of level are
allowed to modify all user accounts and passwords through userlist.wdm,
including the details and passwords of global administrator accounts.
The impact of these vulnerabilities in a small environment using only trusted
administrators is low if the default HTTP solution is not used. In larger
environments were one to trust on WebAdmin's user restrictions the impact of
mentioned problems is larger, as they effectively allow third parties
unauthorized access to the full mail server configuration and the file
It is suggested that administrators do not access the administrative
interface over it's own server and as such the inherently insecure HTTP
protocol, but install it on another, SSL capable server.
Also, it would be wise to not allow regular users access to their domain
configurations through the administrative interface, no matter the server.
Vendor was notified and response was swift. First contact was established
on August 14 and WebAdmin 3.25 which fixes these issues(2) was made available
on August 18.
(1) Multiple Vulnerabilities in MDaemon + WorldClient by Obscure of Eye
(2) WebAdmin Server v3.25 Release Notes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----