[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Alert: Cart32 secret password backdoor (CISADV000427)
From:       Knud Erik =?iso-8859-1?Q?H=F8jgaard?= <kain () EGOTRIP ! DK>
Date:       2000-03-31 6:32:34
[Download RAW message or body]

confirmed. ( uuh..that no pass is needed..discovered by mistkae..forgotten
by stupidity...)

windows 4.10.1998 (no patches installed - i like to see what might happen
to me. people deserve a fair chance at crashing me - except that lame file
sent the other day smacking eudora. wisk i would be able to see the
sende..someone wanna show me ? im in the mood for retaliation..)..

Interernet explorer 4.0 version 4.72.3110 cipher strength 40 bit - update
versions; sp1

Yup i know this is obsolete since its a bug in the server side.but im drunk
& bored..and..who knows? might not work for someone...


At 10:30 28-04-00 -0500, you wrote:
>Greetings,
>
>I have a client using cart32 2.6 so I went to the cart32clientlist url
>mentioned in the alert and sure enough if dumped the hashed password
>list.  I high-tailed it over there and open up the cart32.exe and was unable
>to find the "wemilo" password anywhere.  Now this could be my fault, heck
>I haven't touched a hex editor in ages, but still it prompted me to go back
>to the clientlist url and try some random charecters instead of "wemilo".
>Well, it happily dumped the client list again.  Just to make sure it wasn't
>just me I went out on the web and tried it at several sites running cart32
>(2.6 and 3.0) and all but one case it dumped the client list.  The one
>that didn't show a list DID show the open database messages so I think
>maybe it just wasn't set up.  I may be missing something here but it seems
>to me you don't have to even know the "backdoor password" to dump the
>client list and hashes.
>
>my 2 cents,
>-Bill
>
>
>At 06:42 AM 4/27/00 +0100, you wrote:
>>Cerberus Information Security Advisory (CISADV000427)
>>http://www.cerberus-infosec.co.uk/advisories.shtml
>>
>>Released               : 27th April 2000
>>Name                    : Cart32 secret password backdoor
>>Affected Systems  : Any Win32 based web server using Cart32
>>                               versions 3.0 (most uptodate) and 2.6 are
>>affected.
>>Issue                     : Attackers can run arbitary commands on the web
>>server
>>                               and/or gain access to credit card
information.
>>Authors                 : David Litchfield (mnemonix@globalnet.co.uk) and
>>                                Mark Litchfield (xor-syst@devilnet.co.uk)
>>
>>Description
>>***********
>>The Cerberus Security Team has discovered a serious security hole in
>>McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping cart,
>>namely, Cart32 (http://www.cart32.com/ ) that can only be described as a
>>blatant backdoor. Within cart32.exe, the main file that provides the cart's
>>functionality, there is a secret hidden password that can be used to gain
>>vital information such as other passwords and using these an attacker can
>>modify the shopping cart's properties so that arbitary commands may be run
>>on the server as well as gain access to customers' credit card details,
>>shipping addresses and other highly sensitive information.
>>
>>Details
>>*******
>>Within cart32.exe there is a secret backdoor password of "wemilo" (found at
>>file offset 0x6204h) known internally as the Cart32Password. With knowledge
>>of this password an attacker can go to one of several undocument URLs such
>>as http://charon/scripts/cart32.exe/cart32clientlist and obtain a list the
>>passwords for each Cart32 client. (A client is essentially a shop site).
>>Although these passwords appear to be hashed they can still be used. For
>>example they can be embedded in a specially crafted URL that will allow the
>>attacker to prime the server to run an arbitrary command when an order is
>>confirmed:
>>
>>http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab
>>&SaveTab=Cart32%2B&Client=foobar
>>&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabT
>>oSave=Cart32%2B&PlusTabToSave=
>>Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile
>>.txt
>>
>>This URL will set the cart's properties to spawn a shell, perform a
>>directory listing and pipe the output to a file called file.txt on the root
>>of the C: drive when an order is confirmed. After doing this the attacker
>>would then create a spurious order and confirm it thus executing the
>>command. (Please note that the above URL is pertinent only to an internal
>>Cerberus server - password details and client info would need to be changed
>>to reflect the site in question).
>>
>>Further to this the Cerberus Security Team has found what is, perhaps, a
>>second backdoor. By going directly to the following URL
>>http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible to
>>change the administrative password with out knowledge of the previous one.
>>
>>
>>Solution
>>********
>>Cerberus recommends that the following steps be actioned immediately.
>>Cerberus has tested this in their labs and the Cart functionality will not
>>be broken by following these steps.
>>
>>1) Download a Hex Editor such as UltraEdit (http://www.ultraedit.com) and
>>edit cart32.exe changing the "wemilo" password to something else. This will
>>address the first issue.
>>
>>2) Because c32web.exe is the administration program for Cart32 only site
>>administrators will need access to it. Set the NTFS permissions on this file
>>so that only Administrators have access to it. This way anyone attempting to
>>access this file to change the admin password will be prompted for an NT
>>account and password. For other "servers" such as Windows 95 and 98 Cerberus
>>recommends removing this file.
>>
>>Cerberus vulnerability scanner, CIS, has been updated to include checks for
>>these issues and is available for free download from their website
>>http://www.cerberus-infosec.com/
>>
>>
>>Vendor Status
>>*************
>>Due to the severity and seriousness of this issue Cerberus, has taken the
>>rare step of making this information publicly available before the vendor
>>has provided a patch. This is not normally Cerberus policy, however, as we
>>have provided fix/workaround information in this advisory we belive we are
>>not putting customers at any risk they would not have otherwise been exposed
>>to.
>>
>>About Cerberus Information Security, Ltd
>>********************************
>>Cerberus Information Security, Ltd, a UK company, are specialists in
>>penetration testing and other security auditing services. They are the
>>developers of CIS (Cerberus' Internet security scanner) available for free
>>from their website: http://www.cerberus-infosec.com
>>
>>To ensure that the Cerberus Security Team remains one of the strongest
>>security audit teams available globally they continually research operating
>>system and popular service software vulnerabilites leading to the discovery
>>of "world first" issues. This not only keeps the team sharp but also helps
>>the industry and vendors as a whole ultimately protecting the end consumer.
>>As testimony to their ability and expertise one just has to look at exactly
>>how many major vulnerabilities have been discovered by the Cerberus Security
>>Team - over 60 to date, making them a clear leader of companies offering
>>such security services.
>>
>>Founded in late 1999, by Mark and David Litchfield, Cerberus Information
>>Security, Ltd are located in London, UK but serves customers across the
>>World. For more information about Cerberus Information Security, Ltd please
>>visit their website or call on +44(0) 208 395 4980
>>
>>Permission is hereby granted to copy or redistribute this advisory but only
>>in its entirety.
>>
>>Copyright (C) 2000 by Cerberus Information Security, Ltd
>

[prev in list] [next in list] [prev in thread] [next in thread]