Re: Alert: Cart32 secret password backdoor (CISADV000427) (fwd)

[dildog () L0PHT COM (Dildog)]

That's because the 'wemilo' string is unicode.
Try looking for "w\0e\0m\0i\0l\0o\0".

Also, there's a version of 'strings' for NT that does both
ASCII strings and Unicode strings over at www.sysinternals.com
in the 'miscellaneous' section of their NT stuff.

-- dil

> Date: Fri, 28 Apr 2000 10:30:37 -0500
> From: Bill Borton <bborton () CONWIN COM>
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: Alert: Cart32 secret password backdoor (CISADV000427)
>
> Greetings,
>
> I have a client using cart32 2.6 so I went to the cart32clientlist url
> mentioned in the alert and sure enough if dumped the hashed password
> list.  I high-tailed it over there and open up the cart32.exe and was unable
> to find the "wemilo" password anywhere.  Now this could be my fault, heck
> I haven't touched a hex editor in ages, but still it prompted me to go back
> to the clientlist url and try some random charecters instead of "wemilo".
> Well, it happily dumped the client list again.  Just to make sure it wasn't
> just me I went out on the web and tried it at several sites running cart32
> (2.6 and 3.0) and all but one case it dumped the client list.  The one
> that didn't show a list DID show the open database messages so I think
> maybe it just wasn't set up.  I may be missing something here but it seems
> to me you don't have to even know the "backdoor password" to dump the
> client list and hashes.
>
> my 2 cents,
> -Bill