Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

(no subject)
From: "l33t guy" <blaqhatz () webmail co za>
Date: Mon, 3 Mar 2003 17:24:48 +0200

-----BEGIN PPP SIGNED MESSAGE-----
Hash: SH1T

======================================================================
==
--blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz
--
----------------------------------------------------------------------
--

blaqhatz! () #!@%! () #! ADVISORY blaqhatz! () #!@%! () #!

blaqhatz advisory #1
date: third day of march, in the year of our lord
 two thousand and three (03/03/03)
why today? coz we love 303, oh! oh! oh!
http://www.only4jewz.net/efil4zaggin/blaqhatz.advisory.20030303

blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-
blaq-b
l
    l
a      ,-.        ||||||  ||     //\\   /|||\  ||  ||  //\\ ||||||
|||||/  a
q     /`-'\       ||   )) ||    //  \\ ||   || ||  || //  \\  ||
//   q
|  .-/     \-,    ||||<<  ||    /||||\ ||   || |||||| /||||\  ||
//    |
b (  `.___.'  )   ||   )) ||    ||  || ||   || ||  || ||  ||  ||    //
    b
l  `. _____ .'    ||||||  ||||| ||  ||  \|||\\ ||  || ||  ||  ||
/|||||  l
a                                               \\
    a
q-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-bla
q-blaq



PRODUCT: PASTEL ACCOUNTING v6.0-6.12 (confirmed)
         earlier versions (suspected)


1. BACKGROUND

Pastel Accounting is an accounting package widely used by small
business entities in countries in Africa, Europe, the Middle and Far
East and Australasia. The Pastel product includes a facility for
secure access to specific modules within the product.

Further information is available @ http://www.pastel.com


2. PROBLEM DESCRIPTION

The security system and application controls used by the Pastel
product are broken.

All user and security information is stored with the file
"ACCUSER.DAT" within the chosen client folder. No data is encrypted
with any information within this file, nor is any version/validity
checking done against this file.

As such, it is possible to replace the ACCUSER.DAT file with one from
a different set of accounts, with known usernames and passwords,
access and modify the data stored within a specific set of accounts
and then restore the original file, thus providing no concrete on by
whom the files were modified.

In some contexts, it would even be possible to falsify records in an
attempt to 'frame' a particular user with changes.

Additionally, some preliminary testing on the accuser.dat file
displayed an
alarming correlation between certain sections of the file and the
passwords
chosen. For example, given a group of users with chosen passwords
"AAAAAAAA", "BBBBBBBB", "CCCCCCCC", "DDDDDDDD", and "ABCDEFGH", the
following strings
were found in the file: "ssssssss", "tttttttt", "uuuuuuuu",
"vvvvvvvv", and
"stuvwxyz".

3. IMPACT

Users may not rely on the application level controls implemented by
the Pastel Accounting package.

As no reliance may be placed on applicaton level controls, auditors
must audit around the application.


4. FIX

None as of yet. Vendor notified.

5. WHO ARE BLAQHATZ?
blaqhatz are:

                pheer - pheerless
 - skankyvontrashbag - skankette - nyama_zinto -
 rod-boi - pheered - minibyte - whoot - pofmuis


======================================================================
==
--blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz
--
----------------------------------------------------------------------
--


           !!# () j01N blaqhatz t0D4y!! () #


 mailto:eye.am.leet.eye.swear () blaqhatz za net

telling us who and what you are and with a good reason as to why you
think you're leet enough to join blaqhatz

              Why should I join?

1. Everyone else thinks blaqhatz 0wn.
2. blaqhatz have been interviewed by more international legal
authorities, seen the inside of more networks and more telco's, been
on more television shows, been asked to assist more national
intelligence agencies and skewled more people than any other group.
**blaqhatz are *the* authority on modern information security** 3.
We're nice people. 4. You can get  sekret, blaqhatz warez, for free,
just for applying. 5. You value security and 0day. You believe in
freedom of information. You believe in helping others help themselves.
blaqhatz will help you act to make your beliefs a reality.
6. We're only accepting new member applications until the 9th of the
3rd, 2000 & 3,
on a first come, first served basis. All members will need to be
approved by the
elite blaqhatz board.

Big ups, shout outs and serious ruspek go to:
~el8, BoW, #havok, phrack.org, kouriers 4 christ, #hack krew, oldskewl
efnet #phreakGER, effkay, arclight, maelstrom, ganja_man, scavenger,
mindbinder, raw liquid, tonedef, y0y0y0 and c0.

r0qin' 1t iN 2w0-d0ubl3-0h-thr33!!! () #


-----BEGIN PPP SIGNATURE-----
Version: PPP 3.0.3 d34dc0d35f4dd34dc0d35f4dd34dc0d35f4dd34dc0d35f4d
d01337c0d135d01337c0d135d01337c0d135d01337c0d135
-----END PPP SIGNATURE-----
_______________________________________________________________
 http://www.webmail.co.za the South-African free email service

  NetWiseGurus.Com Portal - Your Own Internet Business Today!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • (no subject) l33t guy (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault