Backdoor Author: Oops

Backdoor Author: Oops
Kevin Poulsen, SecurityFocus 2000-04-27

The dread Cart32 backdoor was meant as a feature, not a bug, says its creator.

The backdoor password "wemilo" has been hidden in a popular small-business Internet shopping cart program for five years, and was intended to allow tech support staff to remotely access the software, said Bryan Whitaker, cofounder of e-commerce support company McMurtrey/Whitaker & Associates, Inc.. and the author of Cart32.

"A lot of times customers call in and they don't know their passwords. It was for our support techs to help customers who were very new to the Internet," Whitaker told SecurityFocus.com Thursday.

"I wrote it in five years ago when I started this whole project, and I never expected it to get this big," said Whitaker, who estimates that the backdoored shopping cart is currently used on at least 1500 servers worldwide -- each one supporting dozens, or even hundreds, of small e-commerce sites. A search engine query shows the program handling sales of everything from books and tennis racquets to groceries and cigars.

Whitaker said "Wemilo" is somebody's name. He declined to elaborate.

Cerberus Internet Security Ltd., a U.K. computer security firm, exposed the backdoor in a Thursday-morning advisory. If properly exploited, the password allows anyone to list the individual passwords for every Cart32 user on a particular server, and has the potential to allow a malicious attacker to gain control of the computer, deface the web site or gain access to any customer information stored on the system, including names, shipping addresses and credit card numbers.

Cerebus cofounder David Litchfield said his brother and business partner Mark discovered the secret password by looking at the program with the standard Windows text editor. "He used Notepad," said Litchfield. "Just opened it up and looked through the cleartext content."

The seriousness of the hole prompted the brothers to immediately release a public advisory, including instructions on how to patch the program and shutter the backdoor, said Litchfield. "Normally, we give the vendors as much time as they need to fix the hole before announcing it," Litchfield said. "But the way I saw it, if we knew about it, and it was so simple to discover, I'm sure that there were other people out there who already knew about it and were exploiting it."

"Outrageously Bad"
"We were caught off guard," said a clearly frustrated Whitaker. "They told us as they released it to everyone else. They emailed our Cart32 support address last night, and I found out about it this morning."

"If they'd let us know ahead of time, we would have would have had a chance to come out with a patch before everybody knew about it," said Whitaker.

The password's outing came at a bad time for McMurtrey/Whitaker -- the Springfield, Missouri based company is in the midst of a move to larger office space after growing from two to twelve employees in the last six months. "We've emailed our customers an interim fix until we get the main one out," said Whitaker. "We'll have a patch out Monday, or maybe even tomorrow [Friday]."

Cart32 users who don't use the interim fix will be wide open to malicious attacks until then.

Peter Neumann, Principal Scientist at SRI International and moderator of the Risks Digest, said administrative backdoors are a frequent problem. "Maintenance passwords are a common strategy, because it makes it simpler for the support folks, especially if the password is the same across all the systems," said Neumann. "It's a huge vulnerability, but it's common practice.

"The whole concept of fixed passwords is itself a lousy idea, but having a fixed password embedded in code is outrageously bad," said Neumann. "It's a bad thing if you believe that a program is never going to be reverse engineered."

"I wasn't aware that you can even look at stuff like that with a text editor," said Whitaker. "Now, in hindsight, it probably would have been better not having it at all."