Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: WinRoute Pro Mail Server Security Risk
From: Peter Miller (pcmiller61YAHOO.COM)
Date: Tue Jan 02 2001 - 15:00:23 CST
Message Type: Security Advisory
Software: WinRoute Pro v4.1 all current builds
All people using the WinRoute Pro v4.1 mail server in a Windows NT or
Windows 2000 environment.
Type of problem: Default options are insecure.
When using the User Accounts option in WrAdmin you can import users from an
NT domain. You can also add users manually. In both cases the "Use Windows
NT logon authentication" option is enabled by default. This means that by
default users need to use their Windows logon credentials to access their
POP3 mailboxes on the WinRoute mail server.
The problem is that the current version of the WinRoute mail server does not
support any form of secure logon authentication. This means that user's
Windows logon credentials are being sent to the mail server in plain text.
Anyone placing a packet sniffer on the network could totally compromise
domain and/or firewall security by capturing traffic destined to the mail
server and extracting user logon names and passwords. The problem is even
worse if the company is allowing roaming users to access their POP3
mailboxes from the Internet.
Tiny Software has reported that WinRoute Pro v5.0 will support secure
password authentication using APOP and NTLM. Unfortunately they do not
intend including SSL support. Expected release is in June 2001.
1. Disable the "Use Windows NT logon authentication" option for all users
and enforce the use of different passwords for mailboxes and domain
authentication. Make sure that WinRoute administrators do not use mailboxes
with the same user name and password as the account they use for
administering WinRoute or your firewall administration could be compromised.
2. Use an Stunnel or SSH tunnel to encrypt all traffic between users and the
mail server. Set up firewall rules to prevent direct traffic to port 110 and
25 on the mail server. It should be possible to implement this solution
using free software but setup time and maintenance will be high for anything
but a small group of people.
3. Replace the WinRoute mail server with a mail server that has security
Dealing with Tiny Software:
I originally reported this problem to Tiny Software on 2000/11/08. I have
asked multiple times that they post a security advisory about the issue on
their web site and they have not done so.
On the whole I have found it extremely frustrating dealing with their
support team. It always takes multiple email messages to convince them of
anything. By now I feel that I should have built up some rapport with Tiny
Software but each new issue I submit goes through the same multiple email
exchange before being taken seriously. Multiple builds of the software are
released without any of the issues I report being publicly addressed or
I personally think that WinRoute is a great product for its price but Tiny
Software customer relations are lacking.
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net