OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: FW: Support:Car32 Backdoor fix.
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Mon May 01 2000 - 13:30:34 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----Original Message-----
From: Cart32 Support [mailto:supportcart32.com]
Sent: Monday, May 01, 2000 12:05 PM
To: Steve
Subject: Re: Support: URGENT - BACKDOOR IN YOUR SOFTWARE

We released a fix on Friday night. You can go to
http://www.cart32.com for
a link to the information.

Please let me know if you have any other questions.

Bryan Whitaker

At 12:01 PM 4/27/00 +0000, you wrote:
>Name:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I assume you guys have seen this?
>
>Any word on a fix?
>
>Steve Manzuik
>Moderator
>Win2K Security Advice
>
>- --------------------------------------------
>
>
>Cerberus Information Security Advisory (CISADV000427)
>http://www.cerberus-infosec.co.uk/advisories.shtml
>
>Released : 27th April 2000
>Name : Cart32 secret password backdoor
>Affected Systems : Any Win32 based web server using Cart32
> versions 3.0 (most uptodate) and 2.6
>are
>affected.
>Issue : Attackers can run arbitary commands on
>the web
>server
> and/or gain access to credit card
>information.
>Authors : David Litchfield
>(mnemonixglobalnet.co.uk) and
> Mark Litchfield
>(xor-systdevilnet.co.uk)
>
>Description
>***********
>The Cerberus Security Team has discovered a serious security hole in
>McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping
>cart,
>namely, Cart32 (http://www.cart32.com/ ) that can only be described
>as a
>blatant backdoor. Within cart32.exe, the main file that provides the
>cart's
>functionality, there is a secret hidden password that can be used to
>gain
>vital information such as other passwords and using these an
>attacker can
>modify the shopping cart's properties so that arbitary commands may
>be run
>on the server as well as gain access to customers' credit card
>details,
>shipping addresses and other highly sensitive information.
>
>Details
>*******
>Within cart32.exe there is a secret backdoor password of "wemilo"
>(found at
>file offset 0x6204h) known internally as the Cart32Password. With
>knowledge
>of this password an attacker can go to one of several undocument
>URLs such
>as http://charon/scripts/cart32.exe/cart32clientlist and obtain a
>list the
>passwords for each Cart32 client. (A client is essentially a shop
>site).
>Although these passwords appear to be hashed they can still be used.
>For
>example they can be embedded in a specially crafted URL that will
>allow the
>attacker to prime the server to run an arbitrary command when an
>order is
>confirmed:
>
>http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32
>% 2B+Tab
>&SaveTab=Cart32%2B&Client=foobar
>&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPasswor
>d =&TabT
>oSave=Cart32%2B&PlusTabToSave=
>Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A
>% 5Cfile
>..txt
>
>This URL will set the cart's properties to spawn a shell, perform a
>directory listing and pipe the output to a file called file.txt on
>the root
>of the C: drive when an order is confirmed. After doing this the
>attacker
>would then create a spurious order and confirm it thus executing the
>command. (Please note that the above URL is pertinent only to an
>internal
>Cerberus server - password details and client info would need to be
>changed
>to reflect the site in question).
>
>Further to this the Cerberus Security Team has found what is,
>perhaps, a
>second backdoor. By going directly to the following URL
>http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible
>to
>change the administrative password with out knowledge of the
>previous one.
>
>
>Solution
>********
>Cerberus recommends that the following steps be actioned
>immediately. Cerberus has tested this in their labs and the Cart
>functionality
>will not
>be broken by following these steps.
>
>1) Download a Hex Editor such as UltraEdit
>(http://www.ultraedit.com) and
>edit cart32.exe changing the "wemilo" password to something else.
>This will
>address the first issue.
>
>2) Because c32web.exe is the administration program for Cart32 only
>site
>administrators will need access to it. Set the NTFS permissions on
>this file
>so that only Administrators have access to it. This way anyone
>attempting to
>access this file to change the admin password will be prompted for
>an NT
>account and password. For other "servers" such as Windows 95 and 98
>Cerberus
>recommends removing this file.
>
>Cerberus vulnerability scanner, CIS, has been updated to include
>checks for
>these issues and is available for free download from their website
>http://www.cerberus-infosec.com/
>
>
>Vendor Status
>*************
>Due to the severity and seriousness of this issue Cerberus, has
>taken the
>rare step of making this information publicly available before the
>vendor
>has provided a patch. This is not normally Cerberus policy, however,
>as we
>have provided fix/workaround information in this advisory we belive
>we are
>not putting customers at any risk they would not have otherwise been
>exposed
>to.
>
>About Cerberus Information Security, Ltd
>********************************
>Cerberus Information Security, Ltd, a UK company, are specialists in
>penetration testing and other security auditing services. They are
>the
>developers of CIS (Cerberus' Internet security scanner) available
>for free
>from their website: http://www.cerberus-infosec.com
>
>To ensure that the Cerberus Security Team remains one of the
>strongest
>security audit teams available globally they continually research
>operating
>system and popular service software vulnerabilites leading to the
>discovery
>of "world first" issues. This not only keeps the team sharp but also
>helps
>the industry and vendors as a whole ultimately protecting the end
>consumer.
>As testimony to their ability and expertise one just has to look at
>exactly
>how many major vulnerabilities have been discovered by the Cerberus
>Security
>Team - over 60 to date, making them a clear leader of companies
>offering
>such security services.
>
>Founded in late 1999, by Mark and David Litchfield, Cerberus
>Information
>Security, Ltd are located in London, UK but serves customers across
>the
>World. For more information about Cerberus Information Security, Ltd
>please
>visit their website or call on +44(0) 208 395 4980
>
>Permission is hereby granted to copy or redistribute this advisory
>but only
>in its entirety.
>
>Copyright (C) 2000 by Cerberus Information Security, Ltd
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.3 for non-commercial use
><http://www.pgp.com>
>
>iQA/AwUBOQhCEDV9eGvIXwM6EQIVJQCeLWHwV1j2UnqE2WJKLlE7SvNKCUEAnjOW
>itQgtZPokfvsN2QoO+7xddLk
>=n8D8
>-----END PGP SIGNATURE-----
>
>

- --------------------------------
Cart32 Support
mailto:supportcart32.com

You can now order Premium Support for only $49.95 and get a
guaranteed
response within an hour during business hours. Go to
http://www.cart32.com/support.asp for more info.

Cart32 Web Site: http://www.cart32.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOQ3NRjV9eGvIXwM6EQI+dgCfQjSAjgg78i4CIhobVoMkqaV3jXYAoND4
a5glGlGtTOxRZPwkJJ94p8xf
=8TNU
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net