Cerberus Information Security Advisory (CISADV000427) http://www.cerberus-infosec.co.uk/advisories.shtml Released : 27th April 2000 Name : Cart32 secret password Backdoor Affected Systems : Any Win32 based web server using Cart32 Issue : Attackers can run arbitary commands on the web server and/or gain access to credit card information. Authors : David Litchfield (mnemonix@globalnet.co.uk) and Mark Litchfield (xor-syst@devilnet.co.uk) Description *********** The Cerberus Security Team has discovered a serious security hole in McMurtrey/Whitaker & Associates, Inc's Win32 e-Commerce shopping cart, namely, Cart32 (http://www.cart32.com/) that can only be described as a blatant backdoor. Within cart32.exe, the main file that provides the cart's functionality, there is a secret hidden password that can be used to gain vital information such as other passwords and using these an attacker can modify the shopping cart's properties so that arbitary commands may be run on the server as well as gain access to customers' credit card details, shipping addresses and other highly sensitive information. Details ******* Within cart32.exe there is a secret backdoor password of "wemilo" (found at file offset 0x6204h) known internally as the Cart32Password. With knowledge of this password an attacker can go to one of several undocument URLs such as http://charon/scripts/cart32.exe/cart32clientlist and obtain a list the passwords for each Cart32 client. (A client is essentially a shop site). Although these passwords appear to be hashed they can still be used. For example they can be embedded in a specially crafted URL that will allow the attacker to prime the server to run an arbitrary command when an order is confirmed: http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab &SaveTab=Cart32%2B&Client=foobar &ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabT oSave=Cart32%2B&PlusTabToSave= Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile .txt This URL will set the cart's properties to spawn a shell, perform a directory listing and pipe the output to a file called file.txt on the root of the C: drive when an order is confirmed. After doing this the attacker would then create a spurious order and confirm it thus executing the command. (Please note that the above URL is pertinent only to an internal Cerberus server - password details and client info would need to be changed to reflect the site in question). Further to this the Cerberus Security Team has found what is, perhaps, a second backdoor. By going directly to the following URL http://charon/scripts/c32web.exe/ChangeAdminPassword it is possible to change the administrative password with out knowledge of the previous one. Solution ******** Cerberus recommends that the following steps be actioned immediately. Cerberus has tested this in their labs and the Cart functionality will not be broken by following these steps. 1) Download a Hex Editor such as UltraEdit (http://www.ultraedit.com) and edit cart32.exe changing the "wemilo" password to something else. This will address the first issue. 2) Because c32web.exe is the administration program for Cart32 only site administrators will need access to it. Set the NTFS permissions on this file so that only Administrators have access to it. This way anyone attempting to access this file to change the admin password will be prompted for an NT account and password. For other "servers" such as Windows 95 and 98 Cerberus recommends removing this file. Cerberus vulnerability scanner, CIS, has been updated to include checks for these issues and is available for free download from their website http://www.cerberus-infosec.com/ Vendor Status ************* Due to the severity and seriousness of this issue Cerberus, has taken the rare step of making this information publicly available before the vendor has provided a patch. This is not normally Cerberus policy, however, as we have provided fix/workaround information in this advisory we belive we are not putting customers at any risk they would not have otherwise been exposed to. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.com To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 60 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 208 395 4980 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd