Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner Server Access/File retrieving

["Lorenzo Hernandez Garcia-Hierro" <novappc () novappc com>]

 Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner
 Server Access/File retrieving
 --------
 Product: Gator eWallet
 Vendor: Gator Corporation
 Web: www.gator.com
 Risk:7
 --------
 Description:
 --------
 Gator eWallet is a software for save your form data and login data , Gator
 Corporation say that the user data encryption is totally secure but it
isn't
 true , i encountered that Gator uses BASE64 for encrypt the info.
 I encountered that you can retrieve the user data file in the backup
 servers.
 --------
 PROBLEM
 --------
 Files with info encrypted in BASE64:
> mepgh.dat
> mepcme.dat
> meprca.dat
> mepcmeft.dat
> GMT.exe.manifest
> meperr.dat
> mepgus.dat
> mepoem.dat
> mepsnd-gs.dat
> mepsnd-ksa.dat
> mepcat.dat
> sitehash4.dat
 All this files use BASE64 data encryption and this is a security hole
 because BASE64 / Radix64 is an insecure encryption method .
 In the user directory at Program Files\Common Files\GMT\Data you can find
 more information of the user.
 ----
 ACCESSING TO THE BANNER SERVER
 ----
 The GATOR eWallet software make connections to the bannerserver.gator.com
 server domain and request a file in the /bannerserver/ directory called
 bannerserver.dll , you can send a special crafted url for make
 buffer_overflow attacks and possible DoS .
 You must access in POST mode.

 ----
 BACKUP SERVER FILE RETRIEVAL
 ----
 In the GATOR backup servers you can retrieve an user data file (remote)
only
 passing a specific url pointing to the requested file like:

 GET /scripts/xx/xxY.com.ffz HTTP/1.0
 Accept: */*
 X-UA: WinInet 6.0.xxxx.1, 1.1, 1.0
 If-Modified-Since: Thu, 06 Apr 2000 20:00:06 GMT
 User-Agent: Gator/4.1 Script 0
 SLRetries: 1
 SL-LastServer: xx.gator.com
 SL-LastErr: 12152
 From: [SPOOFED USER /REQUEST ID]
 Script-Version: 0.4
 Product-Version: 4.1.2.5
 SL-Version: 2
 RunMode: 2
 Host: xxbackup.gator.com
 Connection: open

 With this you can retrieve an user domain data file from the GATOR BACKUP
 SERVER.
 xx are the 2 first characters of the domain user data file you requested
and
 Y is are the rest of characters in the domain , this method use www
 subdomains too and you must specify a backup server like xxbackup.gator.com
 where xx are the two first characters of the domain that you want to
request
 the user data file.

-------
CONCLUSIONS & IMPACT
-------
 You can retrieve user data files from domains that you can request ,
 finally you get a xxx.yyy.ffz , xxx is the domain and yyy the .com/.net/etc
 , ffz extension is the file extension of the script files used by backup
 server.
 BASE64/Radix64 encrypted dat files are vulnerable by a BASE64/RADIX64
 decoding method like javascript code.
 -------
 SOLUTION
 -------
 Don't use GATOR eWallet , use when the Gator Corporation patch this.
 -------
 MORE INFO
 -------
 You can find more information of this in the NSRG-11-7 :

 http://security.novappc.com/gator-analisis

 (spanish version).

 -------
 CONTACT
 -------
  Lorenzo Manuel Hernandez Garcia-Hierro
  --- Computer Security Analyzer ---
  --Nova Projects Professional Coding--
  PGP: Keyfingerprint
  B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
  ID: 0x9C38E1D7
  **********************************
  www.novappc.com
 security.novappc.com
  www.lorenzohgh.com
 ______________________



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html