Bugtraq mailing list archives
Re: Alert: Cart32 secret password backdoor (CISADV000427) (fwd)
From: dildog () L0PHT COM (Dildog)
Date: Fri, 28 Apr 2000 00:02:56 -0500
That's because the 'wemilo' string is unicode. Try looking for "w\0e\0m\0i\0l\0o\0". Also, there's a version of 'strings' for NT that does both ASCII strings and Unicode strings over at www.sysinternals.com in the 'miscellaneous' section of their NT stuff. -- dil
Date: Fri, 28 Apr 2000 10:30:37 -0500 From: Bill Borton <bborton () CONWIN COM> To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427) Greetings, I have a client using cart32 2.6 so I went to the cart32clientlist url mentioned in the alert and sure enough if dumped the hashed password list. I high-tailed it over there and open up the cart32.exe and was unable to find the "wemilo" password anywhere. Now this could be my fault, heck I haven't touched a hex editor in ages, but still it prompted me to go back to the clientlist url and try some random charecters instead of "wemilo". Well, it happily dumped the client list again. Just to make sure it wasn't just me I went out on the web and tried it at several sites running cart32 (2.6 and 3.0) and all but one case it dumped the client list. The one that didn't show a list DID show the open database messages so I think maybe it just wasn't set up. I may be missing something here but it seems to me you don't have to even know the "backdoor password" to dump the client list and hashes. my 2 cents, -Bill
Current thread:
- Re: Alert: Cart32 secret password backdoor (CISADV000427) (fwd) Dildog (Apr 27)