Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[blaqhatz] Pastel Accounting - password security issues

From: "l33t guy" <blaqhatz () webmail co za>
Date: Mon, 3 Mar 2003 17:46:22 +0200
Resend due to mailer problems. See attached.
_______________________________________________________________
 http://www.webmail.co.za the South-African free email service

  NetWiseGurus.Com Portal - Your Own Internet Business Today!


-----BEGIN PPP SIGNED MESSAGE-----
Hash: SH1T

======================================================================== 
--blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz--
------------------------------------------------------------------------

blaqhatz!@#!@%!@#! ADVISORY blaqhatz!@#!@%!@#!

blaqhatz advisory #1
date: third day of march, in the year of our lord
 two thousand and three (03/03/03)
why today? coz we love 303, oh! oh! oh! http://www.only4jewz.net/efil4zaggin/blaqhatz.advisory.20030303

blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-b
l                                                                          l
a      ,-.        ||||||  ||     //\\   /|||\  ||  ||  //\\ |||||| |||||/  a
q     /`-'\       ||   )) ||    //  \\ ||   || ||  || //  \\  ||      //   q
|  .-/     \-,    ||||<<  ||    /||||\ ||   || |||||| /||||\  ||     //    |
b (  `.___.'  )   ||   )) ||    ||  || ||   || ||  || ||  ||  ||    //     b
l  `. _____ .'    ||||||  ||||| ||  ||  \|||\\ ||  || ||  ||  ||   /|||||  l
a                                            \\                            a 
q-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq



PRODUCT: PASTEL ACCOUNTING v6.0-6.12 (confirmed)
         earlier versions (suspected)


1. BACKGROUND

Pastel Accounting is an accounting package widely used by small business entities in countries in Africa, Europe, the 
Middle and Far East and Australasia. The Pastel product includes a facility for secure access to specific modules 
within the product.

Further information is available @ http://www.pastel.com


2. PROBLEM DESCRIPTION

The security system and application controls used by the Pastel product are broken.

All user and security information is stored with the file "ACCUSER.DAT" within the chosen client folder. No data is 
encrypted with any information within this file, nor is any version/validity checking done against this file.

As such, it is possible to replace the ACCUSER.DAT file with one from a different set of accounts, with known usernames 
and passwords, access and modify the data stored within a specific set of accounts and then restore the original file, 
thus providing no concrete on by whom the files were modified.

In some contexts, it would even be possible to falsify records in an attempt to 'frame' a particular user with changes.

Additionally, some preliminary testing on the accuser.dat file displayed an alarming correlation between certain 
sections of the file and the passwords chosen. For example, given a group of users with chosen passwords "AAAAAAAA", 
"BBBBBBBB", "CCCCCCCC", "DDDDDDDD", and "ABCDEFGH", the following strings were found in the file: "ssssssss", 
"tttttttt", "uuuuuuuu", "vvvvvvvv", and "stuvwxyz".

3. IMPACT

Users may not rely on the application level controls implemented by the Pastel Accounting package.

As no reliance may be placed on applicaton level controls, auditors must audit around the application.


4. FIX

None as of yet. Vendor notified.

5. WHO ARE BLAQHATZ?
blaqhatz are:

                pheer - pheerless
 - skankyvontrashbag - skankette - nyama_zinto -
 rod-boi - pheered - minibyte - whoot - pofmuis


======================================================================== 
--blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz--
------------------------------------------------------------------------


           !!#@j01N blaqhatz t0D4y!!@#


 mailto:eye.am.leet.eye.swear () blaqhatz za net

telling us who and what you are and with a good reason as to why you think you're leet enough to join blaqhatz

              Why should I join?

1. Everyone else thinks blaqhatz 0wn.
2. blaqhatz have been interviewed by more international legal authorities, seen the inside of more networks and more 
telco's, been on more television shows, been asked to assist more national intelligence agencies and skewled more 
people than any other group. **blaqhatz are *the* authority on modern information security** 3. We're nice people. 4. 
You can get  sekret, blaqhatz warez, for free, just for applying. 5. You value security and 0day. You believe in 
freedom of information. You believe in helping others help themselves. blaqhatz will help you act to make your beliefs 
a reality. 6. We're only accepting new member applications until the 9th of the 3rd, 2000 & 3, on a first come, first 
served basis. All members will need to be approved by the elite blaqhatz board.

Big ups, shout outs and serious ruspek go to:
~el8, BoW, #havok, phrack.org, kouriers 4 christ, #hack krew, oldskewl efnet #phreakGER, effkay, arclight, maelstrom, 
ganja_man, scavenger, mindbinder, raw liquid, tonedef, y0y0y0 and c0.

r0qin' 1t iN 2w0-d0ubl3-0h-thr33!!!@#


-----BEGIN PPP SIGNATURE-----
Version: PPP 3.0.3 d34dc0d35f4dd34dc0d35f4dd34dc0d35f4dd34dc0d35f4d
d01337c0d135d01337c0d135d01337c0d135d01337c0d135
-----END PPP SIGNATURE----- _______________________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: