Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Alt-N WebAdmin Directory Traversal (logfile/configfile_view.wdm)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Alt-N WebAdmin Directory Traversal (logfile/configfile_view.wdm)
Date: 24 Aug 2006 10:36:08 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Alt-N WebAdmin Directory Traversal (logfile/configfile_view.wdm)
------------------------------------------------------------------------


SUMMARY

 <http://www.altn.com/products/default.asp?product_id=WebAdmin> WebAdmin 
is a remote administration utility which allows administrators to manage 
Alt-N's MDaemon, RelayFax and WorldClient products.

Directory traversal in a couple of WebAdmin's scripts allows any user with 
access to the WebAdmin administrative interface to access any file on the 
vulnerable host.

DETAILS

Vulnerable Systems:
 * Alt-N WebAdmin v3.2.3/3.2.4 running with MDaemon v9.0.5, earlier 
versions are suspected vulnerable as well

The WebAdmin product page touts it's configurable access rights feature. 
However, tested versions have been found vulnerable to a privilege 
elevation vulnerability which could lead to compromise of the mail server 
and which, in combination with insufficient input sanitation in some of 
it's modules, could allow malicious users access to sensitive files on the 
server. This includes the system's weakly encoded password file.

Due to input to the administrative interface's logfile_view.wdm and 
configfile_view.wdm files not being properly sanitized, authenticated 
global administrators are allowed access to the underlying filesystem like 
so:

http://mdaemon:1000/configfile_view.wdm?file=../../autoexec.bat
http://mdaemon:1000/logfile_view.wdm?type=webadmin&file=../../App/userlist.dat

Note that this is not a service offered by the administrative interface 
itself.
Also of note is that the second example retrieves the server's password 
file which, as noted earlier by Obscure(1), is easily decodable.

Mitigating this problem is the fact that the user has to be a global 
administrator to be allowed access to logfile_view.vdm and
configfile_view.vdm.

It has also been found however that while the web interface appears to 
distinguish between user levels (namely global administrator and domain 
administrator) and indeed touts this ability on it's product page, all 
authenticated administrators within the same domain regardless of level 
are allowed to modify all user accounts and passwords through 
userlist.wdm, including the details and passwords of global administrator 
accounts.

The impact of these vulnerabilities in a small environment using only 
trusted administrators is low if the default HTTP solution is not used. In 
larger environments were one to trust on WebAdmin's user restrictions the 
impact of mentioned problems is larger, as they effectively allow third 
parties unauthorized access to the full mail server configuration and the 
file system below.

Workaround:
It is suggested that administrators do not access the administrative 
interface over it's own server and as such the inherently insecure HTTP 
protocol, but install it on another, SSL capable server.

Also, it would be wise to not allow regular users access to their domain 
configurations through the administrative interface, no matter the server.

Vendor Status:
Vendor was notified and response was swift. First contact was established
on August 14 and WebAdmin 3.25 which fixes these issues(2) was made 
available
on August 18.

References:
(1) Multiple Vulnerabilities in MDaemon + WorldClient by Obscure of Eye
on Security:  
<http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html> 
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html

(2) WebAdmin Server v3.25 Release Notes:  
<http://files.altn.com/WebAdmin/Release/RelNotes_en.txt> 
http://files.altn.com/WebAdmin/Release/RelNotes_en.txt


ADDITIONAL INFORMATION

The information has been provided by  <mailto:releases@teklow.com> TTG.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Alt-N WebAdmin Directory Traversal (logfile/configfile_view.wdm), SecuriTeam <=
Previous by Date:  [EXPL] Mozilla Firefox FTP Request Remote DoS (Exploit), SecuriTeam
Next by Date:  [NEWS] Mozilla Firefox Crash, SecuriTeam
Previous by Thread:  [EXPL] Mozilla Firefox FTP Request Remote DoS (Exploit), SecuriTeam
Next by Thread:  [NEWS] Mozilla Firefox Crash, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]