Introduction This advisory if for those running SLMail version 3.2 or 3.1 with the Remote Administration Service enabled. Due to certain short comings of this service any user with an account on the NT machine running SLMail can by-pass all NTFS file system permissions to read any file on the system that hasn't already been locked by another process (such as the c:\winnt\system32\config\sam file). Added to this, this file can then be read by anyone on the Internet. Details The Remote Administration Service in SLMail allows changes to mail services to be performed using the HTTP protocol over TCP port 180, by default. NTLM authentication can be enabled so that only users with an account and corresponding password may access this service. Once authenticated however, they do not need to be an Administrator to make changes to the mail services and user account information. This happens because the service does not impersonate the logged on user and every change made is performed under the SYSTEM account. Once authenticated they can then set a user's Finger File (Plan - for the UNIX people) to any arbritary file on the system. They must know the path to the file they wish to access. Once these changes have been set they can then "finger" the user and the file's contents are returned. This works because the finger service, which is controlled by the slmail.exe process is running as SYSTEM which has full control to all files on the machine by default. Needless to say if the machine is accessible via the finger port (TCP port 79) from the Internet then anybody will be able to read this file. (In some cases where there are non-standard alpha-numerics in the file or x00 values or similar the returned data will be truncated. If the Finger service, which is controlled by the slmail.exe process has been disabled by the administrator, it can be re-enabled from the Remote Administration web pages. Added to this problem many variations of service denial attacks can be launched, such as changing passwords, stopping services, overwriting files etc etc. Solution Because of this Remote Administration should be DISABLED. If this is not viable then the only way to prevent an unauthorized users (those with accounts) is to remove the "Access this computer from the Network" user right from the "Everybody" group and give this privilege to Administrators only. Cheers, David Litchfield
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:31 PDT