CC:Mail password vulnerability

Summary
Description:CC:Mail stores cleartext passwords in a "hidden" batch file which is apparently read/writeable by all users on NT (and of course is on W95)
Author:Carl Byington <carl@five-ten-sg.com>
Compromise:Take over a CC:Mail postoffice
Vulnerable Systems:Windoze NT/95 running cc:Mail release 8
Date:8 September 1997
Details


Date: Mon, 8 Sep 1997 13:17:04 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Password unsecurity in cc:Mail release 8

Forwarded from RISKS DIGEST 19.37

Date: Fri, 05 Sep 1997 15:51:21 -0700
From: Carl Byington <carl@five-ten-sg.com>
Subject: Password unsecurity in cc:Mail release 8

After installing a cc:Mail release 8 postoffice (and link to smtp) on an
NT3.51 machine, I noticed that the nightly reclaim process is scheduled via
the standard NT "at" command which runs %systemroot%\~callmnt.bat.  This
batch file simply runs yet another batch file %systemroot%\~ccmaint.bat.
Why do this?  Because the second batch file is "hidden", but a simple
"attrib" command removes that "protection", and then your master postoffice
password is nicely visible.

But you might ask, what are the NT security permissions on these batch
files?  Simply "everyone full control".  Oh well, at least I don't need to
worry about forgetting that password.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]