Re: DHL connect software

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-03-27 Murda Mcloud wrote:
> Has anyone had to install this software for their mailroom department?
> DHL Connect-it allows staff to do their consignments up etc before
> sending the packages through DHL.
>
> I have found out that it uses 443 and 80 for the connection to DHL and
> for updates it requires 20/21 (all outbound).

You mean the software is initiating outbound connections to the remote
ports 20/tcp, 21/tcp, 80/tcp, and 443/tcp? These are probably:

 20/tcp -> FTP (active mode, data channel)
 21/tcp -> FTP (active mode, command channel)
 80/tcp -> HTTP
443/tcp -> HTTPS

However, if it really uses active FTP, the data channel should be
established inbound, with 20/tcp being the remote source port.

> It also seems to require admin privs on the local box-and needs shared
> drives if others on the LAN are to print reports from the dbase that
> gets created on the workstation.
>
> I am going to run filemon/regmon to see what kind of things it does in
> terms of files and keys. Does anyone else have suggestions for what
> other info to gather to test its 'secureness'?

If you're running XP or Server 2003 you could try LUABugLight [1] in
addition to Regmon/Filemon. Also, as has already been suggested, inspect
the network traffic with a sniffer (e.g. Wireshark [2]). In case the
traffic going to port 443/tcp is really HTTPS (i.e. SSL-encrypted) you
could give Paros Proxy [3] a try.

[1] http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx
[2] http://www.wireshark.org/
[3] http://www.parosproxy.org/

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq