Password Cracker Exposes Net.Commerce Sites

[InfoSec News <isn () C4I ORG>]

http://www.internetnews.com/wd-news/article/0,,10_707381,00.html

By Brian McWilliams
March 7, 2001

IBM's Net.Commerce software was under renewed attack Wednesday, with
the release by a hacking group in Denmark of a tool that can crack
encrypted administrator passwords on some versions of the popular
online storefront package.

When combined with a recently reported security flaw in the macros
function in Net.Commerce version 4.1 and version 3.1 as well as
earlier versions, the password cracker could give attackers the
ability to log in as an administrator of a Net.Commerce storefront and
access customer data, potentially including credit cards.

InternetNews has confirmed that the tool functions as described. In a
quick scan Tuesday, nearly a dozen vulnerable sites were easily
identified using a search engine, among them a leading bicycle
manufacturer, the online ticket office of a major university, a
leading automotive parts retailer, and two national jewelry retailers.
In each case, the tool was able to convert encrypted administrative
passwords into clear text.

One of the vulnerable Net.Commerce sites prominently displays a logo
designating it as a legitimate Verisign Secure Site. Another graphic
assures shoppers that the site is an AOL Certified Merchant.

The new tool, which was posted on the web this week, exploits the fact
that Net.Commerce encrypts passwords with a fixed key. While this key
can be changed when the package is installed, many sites use the
default key. In an email to InternetNews, the author of the tool, who
uses the hacker handle xor37h, said he found the key hardcoded in the
Net.Commerce application executable while debugging the program.

Last month, a security consultant in Austria discovered that a flaw in
the Net.Data macro function of older versions of Net.Commerce allows
unauthorized users to enter random SQL commands into a store's
database. With this ability, an attacker could upload and download
files, issue operating system commands, and extract any information
from the site's database, including customer records and credit cards.
Also accessible are the account names and encrypted passwords of the
Net.Commerce administrators.

After InternetNews reported on the macros vulnerability last month,
IBM posted a notice at its site about the issue and advised
Net.Commerce customers to take action "to eliminate possible security
exposures" by properly coding macros. According to spokesperson Nancy
Riley, the company also directly contacted Net.Commerce accounts by
email, but many sites appear not to have heeded the notice.

"It's a matter of getting to the right person who is responsible for
keeping the code current, and then getting them to do it. We can only
provide them with the information -- we can't make them do it," said
Riley.

IBM is currently shipping version 5.1 of the software, which has been
rebranded the WebSphere Commerce Suite, but hundreds of sites still
use older, vulnerable releases.

At news time Wednesday, more than 1,600 people had visited the site
with the password cracking tool, according to a counter on the site's
homepage.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".