altnwebadmin.txt

2006-08-27T00:00:00
ID PACKETSTORM:49441
Type packetstorm
Reporter TTG
Modified 2006-08-27T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
TTG0601 - Alt-N WebAdmin Multiple Vulnerabilities  
  
RELEASE DATE:  
August 21st, 2006  
  
VENDOR:  
Alt-N Technologies ( http://www.altn.com )  
  
VULNERABLE:  
Tested on Alt-N WebAdmin v3.2.3/3.2.4 running  
with MDaemon v9.0.5, earlier versions are  
suspected vulnerable as well  
  
SEVERITY:  
Authenticated users have access to higher level  
accounts and files on the server  
  
OS:  
Microsoft Windows XP/2000/2003  
  
  
  
SUMMARY  
  
WebAdmin is a remote administration utility which allows administrators to  
manage Alt-N's MDaemon, RelayFax and WorldClient products. Recently this  
has become a standard module for the company's MDaemon mail server, altough  
it remains available independently as well.  
  
The WebAdmin product page touts it's configurable access rights feature.  
However, tested versions have been found vulnerable to a privilege elevation  
vulnerability which could lead to compromise of the mail server and which,  
in combination with insufficient input sanitation in some of it's modules,  
could allow malicious users access to sensitive files on the server.  
  
This includes the system's weakly encoded password file.  
  
  
  
DETAILS  
  
Due to input to the administrative interface's logfile_view.wdm and  
configfile_view.wdm files not being properly sanitized, authenticated global  
administrators are allowed access to the underlying filesystem like so:  
  
http://mdaemon:1000/configfile_view.wdm?file=../../autoexec.bat  
http://mdaemon:1000/logfile_view.wdm?type=webadmin&file=../../App/userlist.dat  
  
Note that this is not a service offered by the administrative interface  
itself.  
Also of note is that the second example retrieves the server's password file  
which, as noted earlier by Obscure(1), is easily decodable.  
  
Mitigating this problem is the fact that the user has to be a global  
administrator to be allowed access to logfile_view.vdm and  
configfile_view.vdm.  
  
It has also been found however that while the web interface appears to  
distinguish between user levels (namely global administrator and domain  
administrator) and indeed touts this ability on it's product page, all  
authenticated administrators within the same domain regardless of level are  
allowed to modify all user accounts and passwords through userlist.wdm,  
including the details and passwords of global administrator accounts.  
  
  
  
IMPACT  
  
The impact of these vulnerabilities in a small environment using only trusted  
administrators is low if the default HTTP solution is not used. In larger  
environments were one to trust on WebAdmin's user restrictions the impact of  
mentioned problems is larger, as they effectively allow third parties  
unauthorized access to the full mail server configuration and the file  
system below.  
  
  
  
WORKAROUNDS  
  
It is suggested that administrators do not access the administrative  
interface over it's own server and as such the inherently insecure HTTP  
protocol, but install it on another, SSL capable server.  
  
Also, it would be wise to not allow regular users access to their domain  
configurations through the administrative interface, no matter the server.  
  
  
  
FIX  
  
Vendor was notified and response was swift. First contact was established  
on August 14 and WebAdmin 3.25 which fixes these issues(2) was made available  
on August 18.  
  
  
  
REFERENCES  
  
(1) Multiple Vulnerabilities in MDaemon + WorldClient by Obscure of Eye  
on Security  
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html  
  
(2) WebAdmin Server v3.25 Release Notes  
http://files.altn.com/WebAdmin/Release/RelNotes_en.txt  
  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.5 (GNU/Linux)  
  
iD8DBQFE6gCIXSyYXTPz6J0RAjMWAJ9GQQCuzP0zngp3lNQ7hg3ODfoo+ACfYiqV  
81UXnzFz5McMyXdC6Cr6Uc0=  
=pqQg  
-----END PGP SIGNATURE-----  
  
  
`