COMMAND

    SLMail

SYSTEMS AFFECTED

    Win NT with SLMail 3.2 (and 3.1)

PROBLEM

    mnemonix  found  following.   This  advisory  if for those running
    SLMail version 3.2 or  3.1 with the Remote  Administration Service
    enabled.  Due  to certain short  comings of this  service any user
    with an account on the  NT machine running SLMail can  by-pass all
    NTFS file system permissions to  read any file on the  system that
    hasn't  already  been  locked  by  another  process  (such  as the
    c:\winnt\system32\config\sam file).  Added to this, this file  can
    then be read by anyone on the Internet.

    The Remote Administration Service in SLMail allows changes to mail
    services to  be performed  using the  HTTP protocol  over TCP port
    180, by default. NTLM authentication  can be enabled so that  only
    users with an account  and corresponding password may  access this
    service.  Once  authenticated however, they  do not need  to be an
    Administrator  to  make  changes  to  the  mail  services and user
    account information.   This happens because  the service does  not
    impersonate the logged on user and every change made is  performed
    under the SYSTEM account.  Once authenticated they can then set  a
    user's  Finger File (Plan - for the UNIX people) to any  arbritary
    file on the system.  They must know the path to the file they wish
    to  access.   Once  these  changes  have  been  set  they can then
    "finger" the  user and  the file's  contents are  returned.   This
    works  because  the  finger  service,  which  is controlled by the
    slmail.exe process is running as SYSTEM which has full control  to
    all files  on the  machine by  default.   Needless to  say if  the
    machine is accessible via the  finger port (TCP port 79)  from the
    Internet then  anybody will  be able  to read  this file. (In some
    cases where there are  non-standard alpha-numerics in the  file or
    x00 values or  similar the returned  data will be  truncated).  If
    the Finger service, which is controlled by the slmail.exe  process
    has been disabled by the administrator, it can be re-enabled  from
    the Remote Administration web pages.   Added to this problem  many
    variations  of  service  denial  attacks  can be launched, such as
    changing passwords, stopping services, overwriting files etc etc.

SOLUTION

    Because of this Remote Administration should be DISABLED.  If this
    is not viable then the  only way to prevent an  unauthorized users
    (those with accounts) is to remove the "Access this computer  from
    the Network" user right from  the "Everybody" group and give  this
    privilege to Administrators only.

    This  solution  has  been  verified  and  it solves the problem of
    non-admins being able  to logon and  change service settings.   It
    works like IIS - Basic  Authenticated users are logged on  locally
    and NTLM  authenticated users  are logged  on as  a network  user.
    This solution may however  break other network functionality  such
    as  NetBIOS  logons  (Domain  Authentication) and consequently all
    subsequent NetBIOS network operations like use of file and printer
    shares.

    Also,  SLmail  3.2  Build  3113  which  contains  the  fix  titled
    "Changed/Improved the  Web Administration  security model".   This
    is  phase  1  of  their  new  Web  Administration model.  This fix
    specifically changes the logon authentication from 'any allowed NT
    user with directory permissions' to 'only let the following  names
    onto SLmail admin' [still validated  by NT].  This information  is
    stored in  HKLM\SOFTWARE\Seattle Lab\SLhttp\LogonName.   (Multiple
    logon IDs may be separated with a semi-colon.)    No passwords are
    stored  in  this  key.   Their  next  phase  (in  progress)  is to
    impersonate the user during web administration.