Bugtraq mailing list archives
Major Security Flaw in Cybercash 2.1.2
From: kerri () VFI COM (Kerri Kraft)
Date: Wed, 19 Nov 1997 11:40:24 -0800
Per the comments below on security related to the VeriFone vPOS product, I have provided an explanation to each of the issues (in CAPS). In addition, considering the high interest in security, I would like to recommend familiarizing yourself with the Visa/MasterCard SET 1.0 standard, especially before making further statements with regards to product flaws. The VeriFone Internet Commerce Solution (vWALLET, vPOS, and vGATE) is based on the SET 1.0 standard. Kerri Kraft VeriFone Product Line Marketing Manager
This is also an issue with Verifone vPOS, which ships with the Microsoft Site Server, partnered as an evaluation version. Most of these credit card validators have the ability to store items to a logfile, which is often turned on in debugging and testing and never turned off by the administrator... Here are some other interesting things about vPOS and Site Server, for the e-commerce-minded among us: 1. In addition to the debug log mentioned above, the actual Commerce Server store also has the ability to write a very lengthy logfile, called ordinitbf, which can be added into the global.asa of the store, and called using a scriptor component. Again, not very useful unless an administrator turns on logging and never turns it off. Things included in this file include: all shopper info, all address info (billing and shipping), credit card info, including name, exp, and number... you get the idea.
MICROSOFT COMMERCE SERVER IS A PRODUCT DEVELOPED BY MICROSOFT FOR MERCHANTS WISHING TO ESTABLISH A WEB-BASED STOREFRONT. THE FILE 'ORDINITBF' IS A MICROSOFT FILE AND IS NOT RELATED TO THE FUNCTIONALITY OF THE THE VERIFONE VPOS PRODUCT. VPOS HAS NO INTERACTION WITH THE 'ORDINIBF' FILE.
2. the vPOS service cannot be started automatically. The encryption string MUST be typed in at start-up. This sequence cannot be automated. Therefore, if a server using vPOS is somehow compromised in the middle of the night, and no administrator is there to restart the service, all transactions will fail until the next time the administrator restarts the service.
REGARDING THE VPOS ENGINE SERVICE, THE SET 1.0 VERSION OF VPOS ENGINE SERVICE CAN BE STARTED AUTOMATICALLY. HOWEVER, THE ENCRYPTION STRING MUST BE PROVIDED. IF THE SERVER USING VPOS IS SOMEHOW COMPROMISED, WHY WOULD YOU WANT TO RESTART THE ENGINE SERVICE AUTOMATICALLY? WOULDN'T YOU WANT THE SYSTEM ADMINSTRATOR TO FIRST VERIFY THAT THE SECURITY BREACH DID NOT AFFECT ALL ASPECTS OF THE NT ENVIRONMENT INCLUDING THE MERCHANT STOREFRONT, NETWORKING, USERS/PASSWORDS, DATABASES, ETC. BEFORE YOU STARTED YOUR STOREFRONT SYSTEM UP AUTOMATICALLY? THEY MIGHT HAVE TAMPERED WITH YOUR STORE PRODUCT DATABASE.
3. In order for vPOS to work with Microsoft Site Server (Commerce Server 2.0), the Commerce Server version 1.0 component wrapper must be used. In order to trick the v1 component wrapper into thinking that Site Server is really Merchant Server 1.0, A LOT of registry entries must be made. Some of these registry entries include the SQL passwords, the NT administrator login passwords, etc. Fun for the whole family, and everything in plaintext.
THIS IS A MICROSOFT SITE SERVER PRODUCT ISSUE THAT YOU SHOULD ADDRESS WITH MICROSOFT. IT HAS NO RELATION TO THE FUNCTIONALITY OF VPOS.
4. The merchant certificates are stored in the SQL database whose passwords you just typed in plaintext into the registry.
ALL DATA TRANSACTIONS UTILIZING THE SET STANDARD ARE ENCRYPTED. MERCHANT CERTIFICATES ARE STORED BY VPOS USING AN SQL DATABASE. CERTIFICATES THEMSELVES ARE NOT TAMERABLE SINCE THEY HAVE BEEN DIGITALLY SIGNED BY A CERTIFICATE AUTHORITY. VPOS WILL STORE ANY DATA CONSIDERED SENSITIVE IN AN ENCRYPTED FORM.
Current thread:
- Re: Microsoft Office security bug, (continued)
- Re: Microsoft Office security bug Inigo Gonzalez (Nov 11)
- What were the opcodes to hang a Pentium again? (fwd) Darren Reed (Nov 11)
- Re: Microsoft Office security bug Aleph One (Nov 11)
- Vunerability in Lizards game SUID (Nov 11)
- Re: Vunerability in Lizards game Alex Murray (Nov 12)
- Re: Vunerability in Lizards game Olaf Titz (Nov 13)
- Re: Vunerability in Lizards game Kragen \ (Nov 13)
- Re: Vunerability in Lizards game Neil Levine (Nov 17)
- Re: Vunerability in Lizards game Joe Zbiciak (Nov 18)
- Re: Vunerability in Lizards game Zoltan Hidvegi (Nov 18)
- Major Security Flaw in Cybercash 2.1.2 Kerri Kraft (Nov 19)
- IP DOS attacks -- Win95 and WinNT Paul Leach (Nov 18)
- Updating microcode on the fly Superuser (Nov 12)
- Re: Updating microcode on the fly Jyri Kaljundi (Nov 12)
- solaris 251 & syslogd Michael Helm (Nov 12)
- Re: solaris 251 & syslogd Richard Peters (Nov 12)
- Re: solaris 251 & syslogd Dave Kinchlea (Nov 12)
- CERT Advisory CA-97.25 - REVISED- Code Correction Aleph One (Nov 12)
- Bug In Security Dynamics' FTP server (Version 2.2) sp00n (Nov 12)
- Intel Pentium Bug: BSDI Releases a patch Joe Ilacqua (Nov 11)