Bugtraq mailing list archives
Alert: Cart32 secret password backdoor (CISADV000427)
From: CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)
Date: Thu, 27 Apr 2000 06:42:28 +0100
Cerberus Information Security Advisory (CISADV000427) http://www.cerberus-infosec.co.uk/advisories.shtml Released: 27th April 2000 Name: Cart32 secret password backdoor Affected Systems : Any Win32 based web server using Cart32 versions 3.0 (most uptodate) and 2.6 are affected. Issue: Attackers can run arbitary commands on the web server and/or gain access to credit card information. Authors: David Litchfield (mnemonix () globalnet co uk) and Mark Litchfield (xor-syst () devilnet co uk) Description *********** The Cerberus Security Team has discovered a serious security hole in McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping cart, namely, Cart32 (http://www.cart32.com/ ) that can only be described as a blatant backdoor. Within cart32.exe, the main file that provides the cart's functionality, there is a secret hidden password that can be used to gain vital information such as other passwords and using these an attacker can modify the shopping cart's properties so that arbitary commands may be run on the server as well as gain access to customers' credit card details, shipping addresses and other highly sensitive information. Details ******* Within cart32.exe there is a secret backdoor password of "wemilo" (found at file offset 0x6204h) known internally as the Cart32Password. With knowledge of this password an attacker can go to one of several undocument URLs such as http://charon/scripts/cart32.exe/cart32clientlist and obtain a list the passwords for each Cart32 client. (A client is essentially a shop site). Although these passwords appear to be hashed they can still be used. For example they can be embedded in a specially crafted URL that will allow the attacker to prime the server to run an arbitrary command when an order is confirmed: http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab &SaveTab=Cart32%2B&Client=foobar &ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabT oSave=Cart32%2B&PlusTabToSave= Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile .txt This URL will set the cart's properties to spawn a shell, perform a directory listing and pipe the output to a file called file.txt on the root of the C: drive when an order is confirmed. After doing this the attacker would then create a spurious order and confirm it thus executing the command. (Please note that the above URL is pertinent only to an internal Cerberus server - password details and client info would need to be changed to reflect the site in question). Further to this the Cerberus Security Team has found what is, perhaps, a second backdoor. By going directly to the following URL http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible to change the administrative password with out knowledge of the previous one. Solution ******** Cerberus recommends that the following steps be actioned immediately. Cerberus has tested this in their labs and the Cart functionality will not be broken by following these steps. 1) Download a Hex Editor such as UltraEdit (http://www.ultraedit.com) and edit cart32.exe changing the "wemilo" password to something else. This will address the first issue. 2) Because c32web.exe is the administration program for Cart32 only site administrators will need access to it. Set the NTFS permissions on this file so that only Administrators have access to it. This way anyone attempting to access this file to change the admin password will be prompted for an NT account and password. For other "servers" such as Windows 95 and 98 Cerberus recommends removing this file. Cerberus vulnerability scanner, CIS, has been updated to include checks for these issues and is available for free download from their website http://www.cerberus-infosec.com/ Vendor Status ************* Due to the severity and seriousness of this issue Cerberus, has taken the rare step of making this information publicly available before the vendor has provided a patch. This is not normally Cerberus policy, however, as we have provided fix/workaround information in this advisory we belive we are not putting customers at any risk they would not have otherwise been exposed to. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.com To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 60 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 208 395 4980 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd
Current thread:
- Re: Solaris 7 x86 lp exploit, (continued)
- Re: Solaris 7 x86 lp exploit Laurent LEVIER (Apr 24)
- Re: netkill - generic remote DoS attack stanislav shalunov (Apr 24)
- Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Theodor Ragnar Gislason (Apr 25)
- Re: Solaris 7 x86 lpset exploit. Andrew Brown (Apr 26)
- Modifying NT credential and RAZOR's analysis of dvwsrr.dll Iván Arce (Apr 26)
- Re: Solaris 7 x86 lpset exploit. Len Rose (Apr 26)
- Re: Solaris 7 x86 lpset exploit. Eugene Ilchenko (Apr 26)
- Cisco HTTP possible bug: Keith Woodworth (Apr 26)
- Alert: Cart32 secret password backdoor (CISADV000427) Cerberus Security Team (Apr 26)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Bill Borton (Apr 28)
- Re: Alert: Cart32 secret password backdoor (CISADV000427) Knud Erik Højgaard (Mar 30)
- Re: Solaris 7 x86 lpset exploit. Laurent LEVIER (Apr 24)
- Re: Solaris 7 x86 lpset exploit. Jor (Apr 27)
- Re: Solaris 7 x86 lpset exploit. Casper Dik (Apr 28)
- Re: piranha default password/exploit Cristian Gafton (Apr 25)
- Re: piranha default password/exploit CDI (Apr 25)