Alt-N MDaemon's WorldClient Disclosure of Authentication Credentials Vulnerability

Software:    Alt-N MDaemon v13.0.3 and prior versions

Vendor:    http://www.altn.com/

Vulnerability Type:    Disclosure of Authentication Credentials

Remote:    Yes

Local:    No

Discovered:    01 October 2012

Reported:    19 December 2012

Disclosed:    18 February 2013

Whitepaper:   Pwning_MDaemon.pdf

VULNERABILITY DESCRIPTION:

Alt-N WorldClient application is prone to an authentication credentials disclosure via a specially formulated HTTP request. This is possible because the application replies to the request with a response that contains the credentials in an encoded (reversible) format.

Attackers may trick an unsuspecting user into opening a malicious email message -using the WorldClient application- and stealing his/her authentication credentials without the user ever noticing.

Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected.

PoC Exploit:

Vulnerable URL:

http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=WebAdmin

Encoded Auth String:

GaDAQBQOP3cymUmJxiNVaz80JTAklc/c+q7fAhmklkQSdp0XMo2X/4aVhqMtLz4OLuCf6v2T0Gc9KKHkvn

ok0B9ARyso9/k

Decoded Auth String:

User=test%40ac1dc0de.com&Password=111111Ab&TimeStamp=1344532850&Lang=en

PoC Python Script: decode.py

Recommended Post