P.O.Box 16298, 2087 Acropolis, Nicosia, CYPRUS

PHONE:    +357 22499996
E-MAIL:    




Alt-N MDaemon's WorldClient Disclosure of Authentication Credentials Vulnerability

Software:    Alt-N MDaemon v13.0.3 and prior versions
Vendor:    http://www.altn.com/
Vulnerability Type:    Disclosure of Authentication Credentials
Remote:    Yes
Local:    No
Discovered:    01 October 2012
Reported:    19 December 2012
Disclosed:    18 February 2013
Whitepaper:   Pwning_MDaemon.pdf

VULNERABILITY DESCRIPTION:

Alt-N WorldClient application is prone to an authentication credentials disclosure via a specially formulated HTTP request. This is possible because the application replies to the request with a response that contains the credentials in an encoded (reversible) format.

Attackers may trick an unsuspecting user into opening a malicious email message -using the WorldClient application- and stealing his/her authentication credentials without the user ever noticing.

Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected.

PoC Exploit:

Vulnerable URL:
http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=WebAdmin

Encoded Auth String:
GaDAQBQOP3cymUmJxiNVaz80JTAklc/c+q7fAhmklkQSdp0XMo2X/4aVhqMtLz4OLuCf6v2T0Gc9KKHkvn
ok0B9ARyso9/k

Decoded Auth String:
User=test%40ac1dc0de.com&Password=111111Ab&TimeStamp=1344532850&Lang=en

PoC Python Script: decode.py