[Full-Disclosure] (no subject)

From: l33t guy (blaqhatz@webmail.co.za)
Date: 03/03/03

  • Next message: l33t guy: "[Full-Disclosure] [blaqhatz] Pastel Accounting - password security issues"
    From: "l33t guy" <blaqhatz@webmail.co.za>
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: Mon, 3 Mar 2003 17:24:48 +0200
    

    -----BEGIN PPP SIGNED MESSAGE-----
    Hash: SH1T

    ======================================================================
    ==
    --blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz

    --
    ----------------------------------------------------------------------
    --
    blaqhatz!@#!@%!@#! ADVISORY blaqhatz!@#!@%!@#!
    blaqhatz advisory #1
    date: third day of march, in the year of our lord
     two thousand and three (03/03/03)
    why today? coz we love 303, oh! oh! oh!
    http://www.only4jewz.net/efil4zaggin/blaqhatz.advisory.20030303
    blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-
    blaq-b
    l
        l
    a      ,-.        ||||||  ||     //\\   /|||\  ||  ||  //\\ ||||||
    |||||/  a
    q     /`-'\       ||   )) ||    //  \\ ||   || ||  || //  \\  ||
    //   q
    |  .-/     \-,    ||||<<  ||    /||||\ ||   || |||||| /||||\  ||
    //    |
    b (  `.___.'  )   ||   )) ||    ||  || ||   || ||  || ||  ||  ||    //
        b
    l  `. _____ .'    ||||||  ||||| ||  ||  \|||\\ ||  || ||  ||  ||
    /|||||  l
    a                                               \\
        a
    q-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-bla
    q-blaq
    PRODUCT: PASTEL ACCOUNTING v6.0-6.12 (confirmed)
             earlier versions (suspected)
    1. BACKGROUND
    Pastel Accounting is an accounting package widely used by small
    business entities in countries in Africa, Europe, the Middle and Far
    East and Australasia. The Pastel product includes a facility for
    secure access to specific modules within the product.
    Further information is available @ http://www.pastel.com
    2. PROBLEM DESCRIPTION
    The security system and application controls used by the Pastel
    product are broken.
    All user and security information is stored with the file
    "ACCUSER.DAT" within the chosen client folder. No data is encrypted
    with any information within this file, nor is any version/validity
    checking done against this file.
    As such, it is possible to replace the ACCUSER.DAT file with one from
    a different set of accounts, with known usernames and passwords,
    access and modify the data stored within a specific set of accounts
    and then restore the original file, thus providing no concrete on by
    whom the files were modified.
    In some contexts, it would even be possible to falsify records in an
    attempt to 'frame' a particular user with changes.
    Additionally, some preliminary testing on the accuser.dat file
    displayed an
    alarming correlation between certain sections of the file and the
    passwords
    chosen. For example, given a group of users with chosen passwords
    "AAAAAAAA", "BBBBBBBB", "CCCCCCCC", "DDDDDDDD", and "ABCDEFGH", the
    following strings
    were found in the file: "ssssssss", "tttttttt", "uuuuuuuu",
    "vvvvvvvv", and
    "stuvwxyz".
    3. IMPACT
    Users may not rely on the application level controls implemented by
    the Pastel Accounting package.
    As no reliance may be placed on applicaton level controls, auditors
    must audit around the application.
    4. FIX
    None as of yet. Vendor notified.
    5. WHO ARE BLAQHATZ?
    blaqhatz are:
                    pheer - pheerless
     - skankyvontrashbag - skankette - nyama_zinto -
     rod-boi - pheered - minibyte - whoot - pofmuis
    ======================================================================
    ==
    --blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz-ph33r-blaqhatz
    --
    ----------------------------------------------------------------------
    --
               !!#@j01N blaqhatz t0D4y!!@#
     mailto:eye.am.leet.eye.swear@blaqhatz.za.net
    telling us who and what you are and with a good reason as to why you
    think you're leet enough to join blaqhatz
                  Why should I join?
    1. Everyone else thinks blaqhatz 0wn.
    2. blaqhatz have been interviewed by more international legal
    authorities, seen the inside of more networks and more telco's, been
    on more television shows, been asked to assist more national
    intelligence agencies and skewled more people than any other group.
    **blaqhatz are *the* authority on modern information security** 3.
    We're nice people. 4. You can get  sekret, blaqhatz warez, for free,
    just for applying. 5. You value security and 0day. You believe in
    freedom of information. You believe in helping others help themselves.
    blaqhatz will help you act to make your beliefs a reality.
    6. We're only accepting new member applications until the 9th of the
    3rd, 2000 & 3,
    on a first come, first served basis. All members will need to be
    approved by the
    elite blaqhatz board.
    Big ups, shout outs and serious ruspek go to:
    ~el8, BoW, #havok, phrack.org, kouriers 4 christ, #hack krew, oldskewl
    efnet #phreakGER, effkay, arclight, maelstrom, ganja_man, scavenger,
    mindbinder, raw liquid, tonedef, y0y0y0 and c0.
    r0qin' 1t iN 2w0-d0ubl3-0h-thr33!!!@#
    -----BEGIN PPP SIGNATURE-----
    Version: PPP 3.0.3 d34dc0d35f4dd34dc0d35f4dd34dc0d35f4dd34dc0d35f4d
    d01337c0d135d01337c0d135d01337c0d135d01337c0d135
    -----END PPP SIGNATURE-----
    _______________________________________________________________
     http://www.webmail.co.za the South-African free email service
      NetWiseGurus.Com Portal - Your Own Internet Business Today!
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: l33t guy: "[Full-Disclosure] [blaqhatz] Pastel Accounting - password security issues"

    Relevant Pages

    • [Full-Disclosure] [blaqhatz] Pastel Accounting - password security issues
      ... ADVISORY blaqhatz!@#!@%!@#! ... Pastel Accounting is an accounting package widely used by small business entities in countries in Africa, Europe, the Middle and Far East and Australasia. ... The Pastel product includes a facility for secure access to specific modules within the product. ... WHO ARE BLAQHATZ? ...
      (Full-Disclosure)
    • [blaqhatz] - Pastel Accounting application security issues
      ... NetWiseGurus.Com Portal - Your Own Internet Business Today! ... Pastel Accounting is an accounting package widely used by small business entities in countries in Africa, Europe, the Middle and Far East and Australasia. ... The Pastel product includes a facility for secure access to specific modules within the product. ... WHO ARE BLAQHATZ? ...
      (Bugtraq)