Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Major Security Flaw in Cybercash 2.1.2

From: kerri () VFI COM (Kerri Kraft)
Date: Wed, 19 Nov 1997 11:40:24 -0800

Per the comments below on security related to the VeriFone vPOS product,
I have
provided an explanation to each of the issues (in CAPS).  In addition,
considering the high interest in security, I would like to recommend
familiarizing yourself with the Visa/MasterCard SET 1.0 standard,
especially before making further statements with regards to product
flaws.  The VeriFone Internet Commerce Solution (vWALLET, vPOS, and
vGATE) is based on the SET 1.0 standard.

Kerri Kraft
VeriFone Product Line Marketing Manager


This is also an issue with Verifone vPOS, which ships with the
Microsoft
Site Server, partnered as an evaluation version.

Most of these credit card validators have the ability to store items
to a
logfile, which is often turned on in debugging and testing and never
turned
off by the administrator...

Here are some other interesting things about vPOS and Site Server, for
the
e-commerce-minded among us:

1. In addition to the debug log mentioned above, the actual Commerce
Server
store also has the ability to write a very lengthy logfile, called
ordinitbf, which can be added into the global.asa of the store, and
called
using a scriptor component. Again, not very useful unless an
administrator
turns on logging and never turns it off.

Things included in this file include: all shopper info, all address
info
(billing and shipping), credit card info, including name, exp, and
number... you get the idea.



MICROSOFT COMMERCE SERVER IS A PRODUCT DEVELOPED BY MICROSOFT FOR
MERCHANTS WISHING TO ESTABLISH A WEB-BASED STOREFRONT.  THE FILE
'ORDINITBF' IS A MICROSOFT FILE AND IS NOT RELATED TO THE FUNCTIONALITY
OF THE THE VERIFONE VPOS PRODUCT.  VPOS HAS NO INTERACTION WITH THE
'ORDINIBF' FILE.


2. the vPOS service cannot be started automatically. The encryption
string
MUST be typed in at start-up. This sequence cannot be automated.
Therefore,
if a server using vPOS is somehow compromised in the middle of the
night,
and no administrator is there to restart the service, all transactions
will
fail until the next time the administrator restarts the service.


REGARDING THE VPOS ENGINE SERVICE, THE SET 1.0 VERSION OF VPOS ENGINE
SERVICE CAN BE STARTED AUTOMATICALLY.  HOWEVER, THE ENCRYPTION STRING
MUST BE PROVIDED.

IF THE SERVER USING VPOS IS SOMEHOW COMPROMISED, WHY WOULD YOU WANT TO
RESTART THE ENGINE SERVICE AUTOMATICALLY?  WOULDN'T YOU WANT THE SYSTEM
ADMINSTRATOR TO FIRST VERIFY THAT THE SECURITY BREACH DID NOT AFFECT ALL
ASPECTS OF THE NT ENVIRONMENT INCLUDING THE MERCHANT STOREFRONT,
NETWORKING, USERS/PASSWORDS, DATABASES, ETC. BEFORE YOU STARTED YOUR
STOREFRONT SYSTEM UP AUTOMATICALLY?  THEY MIGHT HAVE TAMPERED WITH YOUR
STORE PRODUCT DATABASE.


3. In order for vPOS to work with Microsoft Site Server (Commerce
Server
2.0), the Commerce Server version 1.0 component wrapper must be used.
In
order to trick the v1 component wrapper into thinking that Site Server
is
really Merchant Server 1.0, A LOT of registry entries must be made.

Some of these registry entries include the SQL passwords, the NT
administrator login  passwords, etc. Fun for the whole family, and
everything in plaintext.


THIS IS A MICROSOFT SITE SERVER PRODUCT ISSUE THAT YOU SHOULD ADDRESS
WITH MICROSOFT.  IT HAS NO RELATION TO THE FUNCTIONALITY OF VPOS.


4. The merchant certificates are stored in the SQL database whose
passwords
you just typed in plaintext into the registry.


ALL DATA TRANSACTIONS UTILIZING THE SET STANDARD ARE ENCRYPTED.
MERCHANT CERTIFICATES ARE STORED BY VPOS USING AN SQL DATABASE.
CERTIFICATES THEMSELVES ARE NOT TAMERABLE SINCE THEY HAVE BEEN DIGITALLY
SIGNED BY A CERTIFICATE AUTHORITY.  VPOS WILL STORE ANY DATA CONSIDERED
SENSITIVE IN AN ENCRYPTED FORM.
Previous By Date Next
Previous By Thread Next

Current thread: