P.O.Box 16298, 2087 Acropolis, Nicosia, CYPRUS

PHONE:    +357 70002362

Alt-N MDaemon's WebAdmin Remote Code Execution Vulnerability

Software:    Alt-N MDaemon v13.0.3 and prior versions
Vendor:    http://www.altn.com/
Vulnerability Type:    Remote Code Execution
Remote:    Yes
Local:    No
Discovered:    01 October 2012
Reported:    19 December 2012
Disclosed:    18 February 2013
Whitepaper:   Pwning_MDaemon.pdf


Alt-N WebAdmin application is prone to a remote code execution vulnerability via the user account import facility. Attackers may utilize a compromised user/non-admin account to create new accounts in the system or modify existing ones, in a way that will turn-on the autorespond "program processing" functionality and cause it to execute arbitrary commands on the underlying operating system.

Furthermore, utilizing the user account import facility, an ordinary user can change the password of any other user or administrator account within MDaemon and access his/her emails. However, a side-effect of this procedure is that any administrator accounts that get modified this way, are downgraded to ordinary users.

Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected.

PoC Exploit:

Steps to follow:
    - edit cmd.csv accordingly                 [Watch it!!! Don't modify the CR chars (\x0d)]
    - access WebAdmin with the victim user's credentials (goofy@ac1dc0de.com)
    - goto http://www.example.com:1000/modalframe.wdm?file=user_import.wdm&sid=[SESSION_ID]
    - import the cmd.csv file
    - send an email to pluto@ac1dc0de.com to trigger the command execution
    - browse to http://www.example.com:3000/ssapi.dat to view the output of your command

Supporting Files: cmd.csv & sample AutoResp.dat