Full Disclosure mailing list archives
Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner Server Access/File retrieving
From: "Lorenzo Hernandez Garcia-Hierro" <novappc () novappc com>
Date: Mon, 9 Jun 2003 21:05:20 +0200
Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner Server Access/File retrieving -------- Product: Gator eWallet Vendor: Gator Corporation Web: www.gator.com Risk:7 -------- Description: -------- Gator eWallet is a software for save your form data and login data , Gator Corporation say that the user data encryption is totally secure but it isn't true , i encountered that Gator uses BASE64 for encrypt the info. I encountered that you can retrieve the user data file in the backup servers. -------- PROBLEM -------- Files with info encrypted in BASE64:
mepgh.dat mepcme.dat meprca.dat mepcmeft.dat GMT.exe.manifest meperr.dat mepgus.dat mepoem.dat mepsnd-gs.dat mepsnd-ksa.dat mepcat.dat sitehash4.dat
All this files use BASE64 data encryption and this is a security hole because BASE64 / Radix64 is an insecure encryption method . In the user directory at Program Files\Common Files\GMT\Data you can find more information of the user. ---- ACCESSING TO THE BANNER SERVER ---- The GATOR eWallet software make connections to the bannerserver.gator.com server domain and request a file in the /bannerserver/ directory called bannerserver.dll , you can send a special crafted url for make buffer_overflow attacks and possible DoS . You must access in POST mode. ---- BACKUP SERVER FILE RETRIEVAL ---- In the GATOR backup servers you can retrieve an user data file (remote) only passing a specific url pointing to the requested file like: GET /scripts/xx/xxY.com.ffz HTTP/1.0 Accept: */* X-UA: WinInet 6.0.xxxx.1, 1.1, 1.0 If-Modified-Since: Thu, 06 Apr 2000 20:00:06 GMT User-Agent: Gator/4.1 Script 0 SLRetries: 1 SL-LastServer: xx.gator.com SL-LastErr: 12152 From: [SPOOFED USER /REQUEST ID] Script-Version: 0.4 Product-Version: 4.1.2.5 SL-Version: 2 RunMode: 2 Host: xxbackup.gator.com Connection: open With this you can retrieve an user domain data file from the GATOR BACKUP SERVER. xx are the 2 first characters of the domain user data file you requested and Y is are the rest of characters in the domain , this method use www subdomains too and you must specify a backup server like xxbackup.gator.com where xx are the two first characters of the domain that you want to request the user data file. ------- CONCLUSIONS & IMPACT ------- You can retrieve user data files from domains that you can request , finally you get a xxx.yyy.ffz , xxx is the domain and yyy the .com/.net/etc , ffz extension is the file extension of the script files used by backup server. BASE64/Radix64 encrypted dat files are vulnerable by a BASE64/RADIX64 decoding method like javascript code. ------- SOLUTION ------- Don't use GATOR eWallet , use when the Gator Corporation patch this. ------- MORE INFO ------- You can find more information of this in the NSRG-11-7 : http://security.novappc.com/gator-analisis (spanish version). ------- CONTACT ------- Lorenzo Manuel Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** www.novappc.com security.novappc.com www.lorenzohgh.com ______________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner Server Access/File retrieving Lorenzo Hernandez Garcia-Hierro (Jun 09)