[<prev] [next>] [day] [month] [year] [list]
Message-ID: <007001c32eba$13aff800$050010ac@rootserver>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner Server Access/File retrieving
Gator eWallet Insecure User Data files Encryption and Gator BackUp / Banner
Server Access/File retrieving
--------
Product: Gator eWallet
Vendor: Gator Corporation
Web: www.gator.com
Risk:7
--------
Description:
--------
Gator eWallet is a software for save your form data and login data , Gator
Corporation say that the user data encryption is totally secure but it
isn't
true , i encountered that Gator uses BASE64 for encrypt the info.
I encountered that you can retrieve the user data file in the backup
servers.
--------
PROBLEM
--------
Files with info encrypted in BASE64:
> mepgh.dat
> mepcme.dat
> meprca.dat
> mepcmeft.dat
> GMT.exe.manifest
> meperr.dat
> mepgus.dat
> mepoem.dat
> mepsnd-gs.dat
> mepsnd-ksa.dat
> mepcat.dat
> sitehash4.dat
All this files use BASE64 data encryption and this is a security hole
because BASE64 / Radix64 is an insecure encryption method .
In the user directory at Program Files\Common Files\GMT\Data you can find
more information of the user.
----
ACCESSING TO THE BANNER SERVER
----
The GATOR eWallet software make connections to the bannerserver.gator.com
server domain and request a file in the /bannerserver/ directory called
bannerserver.dll , you can send a special crafted url for make
buffer_overflow attacks and possible DoS .
You must access in POST mode.
----
BACKUP SERVER FILE RETRIEVAL
----
In the GATOR backup servers you can retrieve an user data file (remote)
only
passing a specific url pointing to the requested file like:
GET /scripts/xx/xxY.com.ffz HTTP/1.0
Accept: */*
X-UA: WinInet 6.0.xxxx.1, 1.1, 1.0
If-Modified-Since: Thu, 06 Apr 2000 20:00:06 GMT
User-Agent: Gator/4.1 Script 0
SLRetries: 1
SL-LastServer: xx.gator.com
SL-LastErr: 12152
From: [SPOOFED USER /REQUEST ID]
Script-Version: 0.4
Product-Version: 4.1.2.5
SL-Version: 2
RunMode: 2
Host: xxbackup.gator.com
Connection: open
With this you can retrieve an user domain data file from the GATOR BACKUP
SERVER.
xx are the 2 first characters of the domain user data file you requested
and
Y is are the rest of characters in the domain , this method use www
subdomains too and you must specify a backup server like xxbackup.gator.com
where xx are the two first characters of the domain that you want to
request
the user data file.
-------
CONCLUSIONS & IMPACT
-------
You can retrieve user data files from domains that you can request ,
finally you get a xxx.yyy.ffz , xxx is the domain and yyy the .com/.net/etc
, ffz extension is the file extension of the script files used by backup
server.
BASE64/Radix64 encrypted dat files are vulnerable by a BASE64/RADIX64
decoding method like javascript code.
-------
SOLUTION
-------
Don't use GATOR eWallet , use when the Gator Corporation patch this.
-------
MORE INFO
-------
You can find more information of this in the NSRG-11-7 :
http://security.novappc.com/gator-analisis
(spanish version).
-------
CONTACT
-------
Lorenzo Manuel Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
Powered by blists - more mailing lists