P.O.Box 16298, 2087 Acropolis, Nicosia, CYPRUS

PHONE:    +357 70002362
E-MAIL:    




Alt-N MDaemon's WorldClient Predictable Session ID Vulnerability

Software:    Alt-N MDaemon v13.0.3 and prior versions
Vendor:    http://www.altn.com/
Vulnerability Type:    Session ID Prediction
Remote:    Yes
Local:    No
Discovered:    25 July 2012
Reported:    19 December 2012
Disclosed:    18 February 2013
Whitepaper:   Pwning_MDaemon.pdf

VULNERABILITY DESCRIPTION:

Alt-N WorldClient is the web interface of the MDaemon email server. It has been identified that application session state is not maintained by the user's session cookie but by the URL "Session" parameter instead. This parameter is transmitted with every user request sent to the WorldClient web application and under certain circumstances future session IDs can be successfully predicted.

The use of predictable session IDs for authentication makes WorldClient prone to session hijacking attacks. If the attacker can generate a current valid session ID then he/she may be able to access webmail accounts without possessing a valid username/password. The impact of the attack is significantly reduced because WorldClient associates the client's IP address with each session ID produced. However, certain network setups or other scenarios may exist that could render the IP restriction ineffective.

Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected.

Pre-Requisites:

1) The attacker needs to get a current or expired session ID.
       a) Google Search: "WorldClient.dll?Session="
       b) Steal an HTTP request and observe the Referer field
2) The MDaemon service or the machine has not been restarted since the captured session ID was generated (There may be a way to deal with this but further research is needed).

PoC Python Scripts: seed.py & sessionID.py          Supporting Files: Vulnerable Code