Alt-N MDaemon's WorldClient Disclosure of Authentication Credentials Vulnerability
Software: Alt-N MDaemon v13.0.3 and prior versions
Vendor: http://www.altn.com/
Vulnerability Type: Disclosure of Authentication Credentials
Remote: Yes
Local: No
Discovered: 01 October 2012
Reported: 19 December 2012
Disclosed: 18 February 2013
Whitepaper: Pwning_MDaemon.pdf
VULNERABILITY DESCRIPTION:
Alt-N WorldClient application is prone to an authentication credentials disclosure via a specially formulated HTTP request. This is possible because the application replies to the request with a response that contains the credentials in an encoded (reversible) format.
Attackers may trick an unsuspecting user into opening a malicious email message -using the WorldClient application- and stealing his/her authentication credentials without the user ever noticing.
Alt-N MDaemon v13.0.3 & v12.5.6 were tested and found vulnerable; other versions may also be affected.
PoC Exploit:
Vulnerable URL:
http://www.example.com:3000/WorldClient.dll?Session=[SESSION_ID]&View=WebAdmin
Encoded Auth String:
GaDAQBQOP3cymUmJxiNVaz80JTAklc/c+q7fAhmklkQSdp0XMo2X/4aVhqMtLz4OLuCf6v2T0Gc9KKHkvn
ok0B9ARyso9/k
Decoded Auth String:
User=test%40ac1dc0de.com&Password=111111Ab&TimeStamp=1344532850&Lang=en
PoC Python Script: decode.py
