Bugtraq mailing list archives

Re: Wemilo

From: daedalus () RIPCO COM (daedalus)
Date: Tue, 2 May 2000 16:55:33 -0500


I have since changed the wemilo password on two installations and
in both cases it did NOT prevent access to the password hashes.

-Bill

At 10:37 PM 4/30/00 -0800, you wrote:

On every Cart32 installation I have looked at, cart32clientlist will accept
any string or nothing at all.
No password is required to view the client list and password hashes.

Does hexing 'wemilo' out of the exe prevent this?

Also, I have seen one site where they edited the HTML of cart32clientlist
like this:
<input type=password name="xxxxxxx">

This is useless and does not prevent anyone from creating a local copy
with a full path to cart32.exe and a valid input field like this:
<input type=password name="Cart32Password">


-Cassius

To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)

Greetings,

I have a client using cart32 2.6 so I went to the cart32clientlist url
mentioned in the alert and sure enough if dumped the hashed password
list.  I high-tailed it over there and open up the cart32.exe and was

unable

to find the "wemilo" password anywhere.  Now this could be my fault, heck
I haven't touched a hex editor in ages, but still it prompted me to go

back

to the clientlist url and try some random charecters instead of "wemilo".
Well, it happily dumped the client list again.  Just to make sure it wasn't
just me I went out on the web and tried it at several sites running cart32
(2.6 and 3.0) and all but one case it dumped the client list.  The one
that didn't show a list DID show the open database messages so I think
maybe it just wasn't set up.  I may be missing something here but it seems
to me you don't have to even know the "backdoor password" to dump the
client list and hashes.

my 2 cents,
-Bill




IMPORTANT NOTICE:  If you are not using HushMail, this message could have
been read easily by the many people who have access to your open personal
email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.


--
/********************************************************************
   Bill Borton                         Remember:
   Mailto:daedalus () ripco com           Never use a big word where a
   http://pages.ripco.com/~daedalus    diminutive one will suffice.
********************************************************************/

Current thread:

Wemilo cassius () HUSHMAIL COM (Apr 30)
- pam_console bug Michal Zalewski (May 02)
  - Re: pam_console bug Benjamin Smee (May 03)
    - Re: pam_console bug Michal Zalewski (May 04)
- Re: Wemilo daedalus (May 02)
- Possible issue with Cisco on-line help? Fernando Montenegro (May 02)
  - Re: Possible issue with Cisco on-line help? Fernando Montenegro (May 04)
    - Re: Possible issue with Cisco on-line help? Lisa Napier (May 09)
- 4ward:It's a blue world! deepquest () NETSCAPE NET (May 02)
- Denial of service attack against tcpdump bretonh () PARANOIA PGCI CA (May 02)
  - Re: Denial of service attack against tcpdump antirez (May 03)
  - Re: Denial of service attack against tcpdump Sebastian (May 03)
  - Re: Denial of service attack against tcpdump Dragos Ruiu (May 03)
  - Re: Denial of service attack against tcpdump Gerald Combs (May 03)
  - "ILOVEYOU" virus analysis Steve Wolfe (May 04)

(Thread continues...)