[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Alert: Cart32 secret password backdoor (CISADV000427)
From:       Bill Borton <bborton () CONWIN ! COM>
Date:       2000-04-28 15:30:37
[Download RAW message or body]

Greetings,

I have a client using cart32 2.6 so I went to the cart32clientlist url
mentioned in the alert and sure enough if dumped the hashed password
list.  I high-tailed it over there and open up the cart32.exe and was unable
to find the "wemilo" password anywhere.  Now this could be my fault, heck
I haven't touched a hex editor in ages, but still it prompted me to go back
to the clientlist url and try some random charecters instead of "wemilo".
Well, it happily dumped the client list again.  Just to make sure it wasn't
just me I went out on the web and tried it at several sites running cart32
(2.6 and 3.0) and all but one case it dumped the client list.  The one
that didn't show a list DID show the open database messages so I think
maybe it just wasn't set up.  I may be missing something here but it seems
to me you don't have to even know the "backdoor password" to dump the
client list and hashes.

my 2 cents,
-Bill


At 06:42 AM 4/27/00 +0100, you wrote:
>Cerberus Information Security Advisory (CISADV000427)
>http://www.cerberus-infosec.co.uk/advisories.shtml
>
>Released               : 27th April 2000
>Name                    : Cart32 secret password backdoor
>Affected Systems  : Any Win32 based web server using Cart32
>                               versions 3.0 (most uptodate) and 2.6 are
>affected.
>Issue                     : Attackers can run arbitary commands on the web
>server
>                               and/or gain access to credit card information.
>Authors                 : David Litchfield (mnemonix@globalnet.co.uk) and
>                                Mark Litchfield (xor-syst@devilnet.co.uk)
>
>Description
>***********
>The Cerberus Security Team has discovered a serious security hole in
>McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping cart,
>namely, Cart32 (http://www.cart32.com/ ) that can only be described as a
>blatant backdoor. Within cart32.exe, the main file that provides the cart's
>functionality, there is a secret hidden password that can be used to gain
>vital information such as other passwords and using these an attacker can
>modify the shopping cart's properties so that arbitary commands may be run
>on the server as well as gain access to customers' credit card details,
>shipping addresses and other highly sensitive information.
>
>Details
>*******
>Within cart32.exe there is a secret backdoor password of "wemilo" (found at
>file offset 0x6204h) known internally as the Cart32Password. With knowledge
>of this password an attacker can go to one of several undocument URLs such
>as http://charon/scripts/cart32.exe/cart32clientlist and obtain a list the
>passwords for each Cart32 client. (A client is essentially a shop site).
>Although these passwords appear to be hashed they can still be used. For
>example they can be embedded in a specially crafted URL that will allow the
>attacker to prime the server to run an arbitrary command when an order is
>confirmed:
>
>http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab
>&SaveTab=Cart32%2B&Client=foobar
>&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabT
>oSave=Cart32%2B&PlusTabToSave=
>Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile
>.txt
>
>This URL will set the cart's properties to spawn a shell, perform a
>directory listing and pipe the output to a file called file.txt on the root
>of the C: drive when an order is confirmed. After doing this the attacker
>would then create a spurious order and confirm it thus executing the
>command. (Please note that the above URL is pertinent only to an internal
>Cerberus server - password details and client info would need to be changed
>to reflect the site in question).
>
>Further to this the Cerberus Security Team has found what is, perhaps, a
>second backdoor. By going directly to the following URL
>http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible to
>change the administrative password with out knowledge of the previous one.
>
>
>Solution
>********
>Cerberus recommends that the following steps be actioned immediately.
>Cerberus has tested this in their labs and the Cart functionality will not
>be broken by following these steps.
>
>1) Download a Hex Editor such as UltraEdit (http://www.ultraedit.com) and
>edit cart32.exe changing the "wemilo" password to something else. This will
>address the first issue.
>
>2) Because c32web.exe is the administration program for Cart32 only site
>administrators will need access to it. Set the NTFS permissions on this file
>so that only Administrators have access to it. This way anyone attempting to
>access this file to change the admin password will be prompted for an NT
>account and password. For other "servers" such as Windows 95 and 98 Cerberus
>recommends removing this file.
>
>Cerberus vulnerability scanner, CIS, has been updated to include checks for
>these issues and is available for free download from their website
>http://www.cerberus-infosec.com/
>
>
>Vendor Status
>*************
>Due to the severity and seriousness of this issue Cerberus, has taken the
>rare step of making this information publicly available before the vendor
>has provided a patch. This is not normally Cerberus policy, however, as we
>have provided fix/workaround information in this advisory we belive we are
>not putting customers at any risk they would not have otherwise been exposed
>to.
>
>About Cerberus Information Security, Ltd
>********************************
>Cerberus Information Security, Ltd, a UK company, are specialists in
>penetration testing and other security auditing services. They are the
>developers of CIS (Cerberus' Internet security scanner) available for free
>from their website: http://www.cerberus-infosec.com
>
>To ensure that the Cerberus Security Team remains one of the strongest
>security audit teams available globally they continually research operating
>system and popular service software vulnerabilites leading to the discovery
>of "world first" issues. This not only keeps the team sharp but also helps
>the industry and vendors as a whole ultimately protecting the end consumer.
>As testimony to their ability and expertise one just has to look at exactly
>how many major vulnerabilities have been discovered by the Cerberus Security
>Team - over 60 to date, making them a clear leader of companies offering
>such security services.
>
>Founded in late 1999, by Mark and David Litchfield, Cerberus Information
>Security, Ltd are located in London, UK but serves customers across the
>World. For more information about Cerberus Information Security, Ltd please
>visit their website or call on +44(0) 208 395 4980
>
>Permission is hereby granted to copy or redistribute this advisory but only
>in its entirety.
>
>Copyright (C) 2000 by Cerberus Information Security, Ltd

[prev in list] [next in list] [prev in thread] [next in thread]