CC:Mail password vulnerability
Description: | CC:Mail stores cleartext passwords in a "hidden" batch file which is apparently read/writeable by all users on NT (and of course is on W95) |
Author: | Carl Byington <carl@five-ten-sg.com> |
Compromise: | Take over a CC:Mail postoffice |
Vulnerable Systems: | Windoze NT/95 running cc:Mail release 8 |
Date: | 8 September 1997 |
Date: Mon, 8 Sep 1997 13:17:04 -0500
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Password unsecurity in cc:Mail release 8
Forwarded from RISKS DIGEST 19.37
Date: Fri, 05 Sep 1997 15:51:21 -0700
From: Carl Byington <carl@five-ten-sg.com>
Subject: Password unsecurity in cc:Mail release 8
After installing a cc:Mail release 8 postoffice (and link to smtp) on an
NT3.51 machine, I noticed that the nightly reclaim process is scheduled via
the standard NT "at" command which runs %systemroot%\~callmnt.bat. This
batch file simply runs yet another batch file %systemroot%\~ccmaint.bat.
Why do this? Because the second batch file is "hidden", but a simple
"attrib" command removes that "protection", and then your master postoffice
password is nicely visible.
But you might ask, what are the NT security permissions on these batch
files? Simply "everyone full control". Oh well, at least I don't need to
worry about forgetting that password.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: