| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro) Subject: Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner Server Access/File retrieving Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner Server Access/File retrieving -------- Product: Gator eWallet Vendor: Gator Corporation Web: www.gator.com Risk:7 -------- Description: -------- Gator eWallet is a software for save your form data and login data , Gator Corporation say that the user data encryption is totally secure but it isn't true , i encountered that Gator uses BASE64 for encrypt the info. I encountered that you can retrieve the user data file in the backup servers. -------- PROBLEM -------- Files with info encrypted in BASE64: > mepgh.dat > mepcme.dat > meprca.dat > mepcmeft.dat > GMT.exe.manifest > meperr.dat > mepgus.dat > mepoem.dat > mepsnd-gs.dat > mepsnd-ksa.dat > mepcat.dat > sitehash4.dat All this files use BASE64 data encryption and this is a security hole because BASE64 / Radix64 is an insecure encryption method . In the user directory at Program Files\Common Files\GMT\Data you can find more information of the user. ---- ACCESSING TO THE BANNER SERVER ---- The GATOR eWallet software make connections to the bannerserver.gator.com server domain and request a file in the /bannerserver/ directory called bannerserver.dll , you can send a special crafted url for make buffer_overflow attacks and possible DoS . You must access in POST mode. ---- BACKUP SERVER FILE RETRIEVAL ---- In the GATOR backup servers you can retrieve an user data file (remote) only passing a specific url pointing to the requested file like: GET /scripts/xx/xxY.com.ffz HTTP/1.0 Accept: */* X-UA: WinInet 6.0.xxxx.1, 1.1, 1.0 If-Modified-Since: Thu, 06 Apr 2000 20:00:06 GMT User-Agent: Gator/4.1 Script 0 SLRetries: 1 SL-LastServer: xx.gator.com SL-LastErr: 12152 From: [SPOOFED USER /REQUEST ID] Script-Version: 0.4 Product-Version: 4.1.2.5 SL-Version: 2 RunMode: 2 Host: xxbackup.gator.com Connection: open With this you can retrieve an user domain data file from the GATOR BACKUP SERVER. xx are the 2 first characters of the domain user data file you requested and Y is are the rest of characters in the domain , this method use www subdomains too and you must specify a backup server like xxbackup.gator.com where xx are the two first characters of the domain that you want to request the user data file. ------- CONCLUSIONS & IMPACT ------- You can retrieve user data files from domains that you can request , finally you get a xxx.yyy.ffz , xxx is the domain and yyy the .com/.net/etc , ffz extension is the file extension of the script files used by backup server. BASE64/Radix64 encrypted dat files are vulnerable by a BASE64/RADIX64 decoding method like javascript code. ------- SOLUTION ------- Don't use GATOR eWallet , use when the Gator Corporation patch this. ------- MORE INFO ------- You can find more information of this in the NSRG-11-7 : http://security.novappc.com/gator-analisis (spanish version). ------- CONTACT ------- Lorenzo Manuel Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** www.novappc.com security.novappc.com www.lorenzohgh.com ______________________
Powered by blists - more mailing lists