[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Problems in WinRoute Pro v4.1

Title: Problems in WinRoute Pro v4.1
Released by: Petter Miller
Date: 2nd January 2001
Printable version: Click here
Message Type: Security Advisory

Risk: Medium

Software: WinRoute Pro v4.1 all current builds

Platform: Windows

Systems Affected:

All people using the WinRoute Pro v4.1 mail server in a Windows NT or

Windows 2000 environment.

Type of problem: Default options are insecure.


When using the User Accounts option in WrAdmin you can import users from an

NT domain. You can also add users manually. In both cases the "Use Windows

NT logon authentication" option is enabled by default. This means that by

default users need to use their Windows logon credentials to access their

POP3 mailboxes on the WinRoute mail server.

The problem is that the current version of the WinRoute mail server does not

support any form of secure logon authentication. This means that user's

Windows logon credentials are being sent to the mail server in plain text.

Anyone placing a packet sniffer on the network could totally compromise

domain and/or firewall security by capturing traffic destined to the mail

server and extracting user logon names and passwords. The problem is even

worse if the company is allowing roaming users to access their POP3

mailboxes from the Internet.


Tiny Software has reported that WinRoute Pro v5.0 will support secure

password authentication using APOP and NTLM. Unfortunately they do not

intend including SSL support. Expected release is in June 2001.

Work arounds:

1. Disable the "Use Windows NT logon authentication" option for all users

and enforce the use of different passwords for mailboxes and domain

authentication. Make sure that WinRoute administrators do not use mailboxes

with the same user name and password as the account they use for

administering WinRoute or your firewall administration could be compromised.

2. Use an SSH tunnel to encrypt all traffic between users and the mail

server. Set up firewall rules to prevent direct traffic to port 110 on the

mail server. It should be possible to implement this solution using free

software but setup time and maintenance will be high for anything but a

small group of people.

3. Replace the WinRoute mail server with a mail server that has security


Dealing with Tiny Software:

I originally reported this problem to Tiny Software on 2000/11/08. I have

asked multiple times that they post a security advisory about the issue on

their web site and they have not done so.

On the whole I have found it extremely frustrating dealing with their

support team. It always takes multiple email messages to convince them of

anything. By now I feel that I should have built up some rapport with Tiny

Software but each new issue I submit goes through the same multiple email

exchange before being taken seriously. Multiple builds of the software are

released without any of the issues I report being publicly addressed or

corrected. It would seem that they promote the security through denial and

obscurity approach.

I personally think that WinRoute is a great product for its price but Tiny

Software customer relations are lacking.




Do You Yahoo!?

Get your free @yahoo.com address at http://mail.yahoo.com

(C) 1999-2000 All rights reserved.