Cerberus Information Security Advisory (CISADV000427)
http://www.cerberus-infosec.co.uk/advisories.shtml

Released               : 27th April 2000
Name                    : Cart32 secret password Backdoor
Affected Systems  : Any Win32 based web server using Cart32
Issue                     : Attackers can run arbitary commands on the web
server
                              and/or gain access to credit card information.
Authors                 : David Litchfield (mnemonix@globalnet.co.uk) and
                               Mark Litchfield (xor-syst@devilnet.co.uk)

Description
***********
The Cerberus Security Team has discovered a serious security hole in
McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping cart,
namely, Cart32 (http://www.cart32.com/) that can only be described as a
blatant backdoor. Within cart32.exe, the main file that provides the cart's
functionality, there is a secret hidden password that can be used to gain
vital information such as other passwords and using these an attacker can
modify the shopping cart's properties so that arbitary commands may be run
on the server as well as gain access to customers' credit card details,
shipping addresses and other highly sensitive information.

Details
*******
Within cart32.exe there is a secret backdoor password of "wemilo" (found at
file offset 0x6204h) known internally as the Cart32Password. With knowledge
of this password an attacker can go to one of several undocument URLs such
as http://charon/scripts/cart32.exe/cart32clientlist and obtain a list the
passwords for each Cart32 client. (A client is essentially a shop site).
Although these passwords appear to be hashed they can still be used. For
example they can be embedded in a specially crafted URL that will allow the
attacker to prime the server to run an arbitrary command when an order is
confirmed:

http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab
&SaveTab=Cart32%2B&Client=foobar
&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabT
oSave=Cart32%2B&PlusTabToSave=
Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile
.txt

This URL will set the cart's properties to spawn a shell, perform a
directory listing and pipe the output to a file called file.txt on the root
of the C: drive when an order is confirmed. After doing this the attacker
would then create a spurious order and confirm it thus executing the
command. (Please note that the above URL is pertinent only to an internal
Cerberus server - password details and client info would need to be changed
to reflect the site in question).

Further to this the Cerberus Security Team has found what is, perhaps, a
second backdoor. By going directly to the following URL
http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible to
change the administrative password with out knowledge of the previous one.


Solution
********
Cerberus recommends that the following steps be actioned immediately.
Cerberus has tested this in their labs and the Cart functionality will not
be broken by following these steps.

1) Download a Hex Editor such as UltraEdit (http://www.ultraedit.com) and
edit cart32.exe changing the "wemilo" password to something else. This will
address the first issue.

2) Because c32web.exe is the administration program for Cart32 only site
administrators will need access to it. Set the NTFS permissions on this file
so that only Administrators have access to it. This way anyone attempting to
access this file to change the admin password will be prompted for an NT
account and password. For other "servers" such as Windows 95 and 98 Cerberus
recommends removing this file.

Cerberus vulnerability scanner, CIS, has been updated to include checks for
these issues and is available for free download from their website
http://www.cerberus-infosec.com/


Vendor Status
*************
Due to the severity and seriousness of this issue Cerberus, has taken the
rare step of making this information publicly available before the vendor
has provided a patch. This is not normally Cerberus policy, however, as we
have provided fix/workaround information in this advisory we belive we are
not putting customers at any risk they would not have otherwise been exposed
to.

About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.com

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 60 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 208 395 4980

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd