[Full-Disclosure] (no subject)

t4rku5_at_hushmail.com
Date: 10/31/03

  • Next message: Georgi Guninski: "Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2" 
    To: full-disclosure@lists.netsys.com
Date: Fri, 31 Oct 2003 05:20:28 -0800

    Topic: DATEV Nutzungskontrolle Bypassing

    Release Date: 2003-10-31

    Affected system:
    ================

    - Nutzungskontrolle V.2.2
    - Nutzungskontrolle V.2.1

    Unaffected system:
    ==================

    - none known

    Summary:
    ========

    DATEV eG is a German Company, which makes Software for tax advisors and

    lawyers. The Nutzungskontrolle (NUKO) is a Software to restrict the
    access for the users. For example, a normal user is not allowed to see

    the internal reward accounting data. These data are restrictet by the

    NUKO by, for example, blocking the "advisor number", which is used for

    all data in the internal reward accounting.

    Issue:
    ======

    It is possible to find out simple or blank passwords in the NUKO, by

    searching in the NUKO Database.

    The Problem is that DATEV changed the default database password for all

    their databases, except for the NUKO DB. At the moment the Sybase ASA

    Database is used to manage this stuff. I will not write the login
    password down here, because i think it is no problem to find this with

    google.

    1. First you have to add the default superuser to the group DATEV:

    example:

    GRANT MEMBERSHIP
    IN GROUP DATEV
    TO "the superuser login" (without "")

    2. Then just make a query to the table u_nkw_passwords for the colum

    nk_password to check where a password hash

    3D7595A98BFF809D3D7595A98BFF809D3D7595A98BFF809D3D7595A98BFF809D

    is.

    example:

    select nk_user_id from u_nkw_passwords where nk_password =
    '3D7595A98BFF809D3D7595A98BFF809D3D7595A98BFF809D3D7595A98BFF809D'

    3. Now query the user name of the nk_user_id.

    example:

    select nk_user_name from u_nkw_users where nk_user_id = 'one of the
    userid from 2.'

    4. Now you have a NUKO login with a blank Password.

    Workaround:
    ===========

    Change the default database password.

    Credits:
    ========

    Discovered by t4rku5

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Georgi Guninski: "Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2"