OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
From: Astral (astral403-SECURITY.ORG)
Date: Thu Apr 27 2000 - 10:56:50 CDT

I only submited "cart32.exe" into Altavista and it found about 500
vulnerable sites. From about 500 vulnerable sites it is possible to obtain
credit card numbers from at least 200 of them.
it looks like this backdoor was giving anaugh money for Cart32 company if
they used it for this purpose... ;)

- Astral
http://www.403-security.org
----- Original Message -----
From: "Cerberus Security Team" <CSTCERBERUS-INFOSEC.CO.UK>
To: <win2ksecadviceLISTSERV.NTSECURITY.NET>
Sent: Thursday, April 27, 2000 5:42 AM
Subject: Alert: Cart32 secret password backdoor (CISADV000427)

> Cerberus Information Security Advisory (CISADV000427)
> http://www.cerberus-infosec.co.uk/advisories.shtml
>
> Released : 27th April 2000
> Name : Cart32 secret password backdoor
> Affected Systems : Any Win32 based web server using Cart32
> versions 3.0 (most uptodate) and 2.6 are
> affected.
> Issue : Attackers can run arbitary commands on the web
> server
> and/or gain access to credit card
information.
> Authors : David Litchfield (mnemonixglobalnet.co.uk) and
> Mark Litchfield (xor-systdevilnet.co.uk)
>
> Description
> ***********
> The Cerberus Security Team has discovered a serious security hole in
> McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping cart,
> namely, Cart32 (http://www.cart32.com/ ) that can only be described as a
> blatant backdoor. Within cart32.exe, the main file that provides the
cart's
> functionality, there is a secret hidden password that can be used to gain
> vital information such as other passwords and using these an attacker can
> modify the shopping cart's properties so that arbitary commands may be run
> on the server as well as gain access to customers' credit card details,
> shipping addresses and other highly sensitive information.
>
> Details
> *******
> Within cart32.exe there is a secret backdoor password of "wemilo" (found
at
> file offset 0x6204h) known internally as the Cart32Password. With
knowledge
> of this password an attacker can go to one of several undocument URLs such
> as http://charon/scripts/cart32.exe/cart32clientlist and obtain a list the
> passwords for each Cart32 client. (A client is essentially a shop site).
> Although these passwords appear to be hashed they can still be used. For
> example they can be embedded in a specially crafted URL that will allow
the
> attacker to prime the server to run an arbitrary command when an order is
> confirmed:
>
>
http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab
> &SaveTab=Cart32%2B&Client=foobar
>
&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabT
> oSave=Cart32%2B&PlusTabToSave=
>
Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile
> .txt
>
> This URL will set the cart's properties to spawn a shell, perform a
> directory listing and pipe the output to a file called file.txt on the
root
> of the C: drive when an order is confirmed. After doing this the attacker
> would then create a spurious order and confirm it thus executing the
> command. (Please note that the above URL is pertinent only to an internal
> Cerberus server - password details and client info would need to be
changed
> to reflect the site in question).
>
> Further to this the Cerberus Security Team has found what is, perhaps, a
> second backdoor. By going directly to the following URL
> http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible to
> change the administrative password with out knowledge of the previous one.
>
>
> Solution
> ********
> Cerberus recommends that the following steps be actioned immediately.
> Cerberus has tested this in their labs and the Cart functionality will not
> be broken by following these steps.
>
> 1) Download a Hex Editor such as UltraEdit (http://www.ultraedit.com) and
> edit cart32.exe changing the "wemilo" password to something else. This
will
> address the first issue.
>
> 2) Because c32web.exe is the administration program for Cart32 only site
> administrators will need access to it. Set the NTFS permissions on this
file
> so that only Administrators have access to it. This way anyone attempting
to
> access this file to change the admin password will be prompted for an NT
> account and password. For other "servers" such as Windows 95 and 98
Cerberus
> recommends removing this file.
>
> Cerberus vulnerability scanner, CIS, has been updated to include checks
for
> these issues and is available for free download from their website
> http://www.cerberus-infosec.com/
>
>
> Vendor Status
> *************
> Due to the severity and seriousness of this issue Cerberus, has taken the
> rare step of making this information publicly available before the vendor
> has provided a patch. This is not normally Cerberus policy, however, as we
> have provided fix/workaround information in this advisory we belive we are
> not putting customers at any risk they would not have otherwise been
exposed
> to.
>
> About Cerberus Information Security, Ltd
> ********************************
> Cerberus Information Security, Ltd, a UK company, are specialists in
> penetration testing and other security auditing services. They are the
> developers of CIS (Cerberus' Internet security scanner) available for free
> from their website: http://www.cerberus-infosec.com
>
> To ensure that the Cerberus Security Team remains one of the strongest
> security audit teams available globally they continually research
operating
> system and popular service software vulnerabilites leading to the
discovery
> of "world first" issues. This not only keeps the team sharp but also helps
> the industry and vendors as a whole ultimately protecting the end
consumer.
> As testimony to their ability and expertise one just has to look at
exactly
> how many major vulnerabilities have been discovered by the Cerberus
Security
> Team - over 60 to date, making them a clear leader of companies offering
> such security services.
>
> Founded in late 1999, by Mark and David Litchfield, Cerberus Information
> Security, Ltd are located in London, UK but serves customers across the
> World. For more information about Cerberus Information Security, Ltd
please
> visit their website or call on +44(0) 208 395 4980
>
> Permission is hereby granted to copy or redistribute this advisory but
only
> in its entirety.
>
> Copyright (C) 2000 by Cerberus Information Security, Ltd
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net