SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Pastel Accounting Vendors:   Pastel Software (Pty) Ltd.
Pastel Accounting Lets Local Users Access and Modify Account Information, Including Passwords
SecurityTracker Alert ID:  1006221
SecurityTracker URL:  http://securitytracker.com/id/1006221
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 5 2003
Impact:   Modification of system information, Modification of user information, User access via local system
Exploit Included:  Yes  
Version(s): 6.0 - 6.12
Description:   A vulnerability was reported in Pastel Accounting. The system discloses usernames and encoded passwords to local users. A local user can gain unauthorized access to the system.

It is reported that the a local user can access the file "ACCUSER.DAT" that contains usernames and encoded passwords. According to the report, there may be a strong correlation between plaintext passwords and the encoded passwords.

It is also reported that a local user can replace the ACCUSER.DAT file on the target system with a valid ACCUSER.DAT file from a different system. If the local user knows the usernames and passwords on the different system, the local user can access Pastel Accounting on the target system using that information.

The vendor has reportedly been notified.

Impact:   A local user can modify the ACCUSER.DAT file to gain access to the system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.pastel.com/ (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98)

Message History:   None.


 Source Message Contents

Date:  Mon, 3 Mar 2003 17:43:11 +0200
Subject:  [blaqhatz] - Pastel Accounting application security issues


--===WebMail_NextPart_2E638D65B7===
Content-Type: text/plain

See attached.
_______________________________________________________________
 http://www.webmail.co.za the South-African free email service

  NetWiseGurus.Com Portal - Your Own Internet Business Today!


--===WebMail_NextPart_2E638D65B7===
Content-Type: text/plain; name="bhadv1.txt"
Content-Transfer-Encoding: base64

LS0tLS1CRUdJTiBQUFAgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0gxVA0KDQo9PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT0gLS1ibGFxaGF0ei1waDMzci1ibGFxaGF0ei1waDMzci1ibGFxaGF0ei1waDMzci1i
bGFxaGF0ei1waDMzci1ibGFxaGF0ei0tDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KYmxhcWhhdHohQCMh
QCUhQCMhIEFEVklTT1JZIGJsYXFoYXR6IUAjIUAlIUAjIQ0KDQpibGFxaGF0eiBhZHZpc29yeSAj
MQ0KZGF0ZTogdGhpcmQgZGF5IG9mIG1hcmNoLCBpbiB0aGUgeWVhciBvZiBvdXIgbG9yZA0KIHR3
byB0aG91c2FuZCBhbmQgdGhyZWUgKDAzLzAzLzAzKQ0Kd2h5IHRvZGF5PyBjb3ogd2UgbG92ZSAz
MDMsIG9oISBvaCEgb2ghIGh0dHA6Ly93d3cub25seTRqZXd6Lm5ldC9lZmlsNHphZ2dpbi9ibGFx
aGF0ei5hZHZpc29yeS4yMDAzMDMwMw0KDQpibGFxLWJsYXEtYmxhcS1ibGFxLWJsYXEtYmxhcS1i
bGFxLWJsYXEtYmxhcS1ibGFxLWJsYXEtYmxhcS1ibGFxLWJsYXEtYmxhcS1iDQpsICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICBsDQphICAgICAgLC0uICAgICAgICB8fHx8fHwgIHx8ICAgICAvL1xcICAgL3x8fFwg
IHx8ICB8fCAgLy9cXCB8fHx8fHwgfHx8fHwvICBhDQpxICAgICAvYC0nXCAgICAgICB8fCAgICkp
IHx8ICAgIC8vICBcXCB8fCAgIHx8IHx8ICB8fCAvLyAgXFwgIHx8ICAgICAgLy8gICBxDQp8ICAu
LS8gICAgIFwtLCAgICB8fHx8PDwgIHx8ICAgIC98fHx8XCB8fCAgIHx8IHx8fHx8fCAvfHx8fFwg
IHx8ICAgICAvLyAgICB8DQpiICggIGAuX19fLicgICkgICB8fCAgICkpIHx8ICAgIHx8ICB8fCB8
fCAgIHx8IHx8ICB8fCB8fCAgfHwgIHx8ICAgIC8vICAgICBiDQpsICBgLiBfX19fXyAuJyAgICB8
fHx8fHwgIHx8fHx8IHx8ICB8fCAgXHx8fFxcIHx8ICB8fCB8fCAgfHwgIHx8ICAgL3x8fHx8ICBs
DQphICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcXCAgICAgICAg
ICAgICAgICAgICAgICAgICAgICBhIA0KcS1ibGFxLWJsYXEtYmxhcS1ibGFxLWJsYXEtYmxhcS1i
bGFxLWJsYXEtYmxhcS1ibGFxLWJsYXEtYmxhcS1ibGFxLWJsYXEtYmxhcQ0KDQoNCg0KUFJPRFVD
VDogUEFTVEVMIEFDQ09VTlRJTkcgdjYuMC02LjEyIChjb25maXJtZWQpDQogICAgICAgICBlYXJs
aWVyIHZlcnNpb25zIChzdXNwZWN0ZWQpDQoNCg0KMS4gQkFDS0dST1VORA0KDQpQYXN0ZWwgQWNj
b3VudGluZyBpcyBhbiBhY2NvdW50aW5nIHBhY2thZ2Ugd2lkZWx5IHVzZWQgYnkgc21hbGwgYnVz
aW5lc3MgZW50aXRpZXMgaW4gY291bnRyaWVzIGluIEFmcmljYSwgRXVyb3BlLCB0aGUgTWlkZGxl
IGFuZCBGYXIgRWFzdCBhbmQgQXVzdHJhbGFzaWEuIFRoZSBQYXN0ZWwgcHJvZHVjdCBpbmNsdWRl
cyBhIGZhY2lsaXR5IGZvciBzZWN1cmUgYWNjZXNzIHRvIHNwZWNpZmljIG1vZHVsZXMgd2l0aGlu
IHRoZSBwcm9kdWN0Lg0KDQpGdXJ0aGVyIGluZm9ybWF0aW9uIGlzIGF2YWlsYWJsZSBAIGh0dHA6
Ly93d3cucGFzdGVsLmNvbQ0KDQoNCjIuIFBST0JMRU0gREVTQ1JJUFRJT04NCg0KVGhlIHNlY3Vy
aXR5IHN5c3RlbSBhbmQgYXBwbGljYXRpb24gY29udHJvbHMgdXNlZCBieSB0aGUgUGFzdGVsIHBy
b2R1Y3QgYXJlIGJyb2tlbi4NCg0KQWxsIHVzZXIgYW5kIHNlY3VyaXR5IGluZm9ybWF0aW9uIGlz
IHN0b3JlZCB3aXRoIHRoZSBmaWxlICJBQ0NVU0VSLkRBVCIgd2l0aGluIHRoZSBjaG9zZW4gY2xp
ZW50IGZvbGRlci4gTm8gZGF0YSBpcyBlbmNyeXB0ZWQgd2l0aCBhbnkgaW5mb3JtYXRpb24gd2l0
aGluIHRoaXMgZmlsZSwgbm9yIGlzIGFueSB2ZXJzaW9uL3ZhbGlkaXR5IGNoZWNraW5nIGRvbmUg
YWdhaW5zdCB0aGlzIGZpbGUuDQoNCkFzIHN1Y2gsIGl0IGlzIHBvc3NpYmxlIHRvIHJlcGxhY2Ug
dGhlIEFDQ1VTRVIuREFUIGZpbGUgd2l0aCBvbmUgZnJvbSBhIGRpZmZlcmVudCBzZXQgb2YgYWNj
b3VudHMsIHdpdGgga25vd24gdXNlcm5hbWVzIGFuZCBwYXNzd29yZHMsIGFjY2VzcyBhbmQgbW9k
aWZ5IHRoZSBkYXRhIHN0b3JlZCB3aXRoaW4gYSBzcGVjaWZpYyBzZXQgb2YgYWNjb3VudHMgYW5k
IHRoZW4gcmVzdG9yZSB0aGUgb3JpZ2luYWwgZmlsZSwgdGh1cyBwcm92aWRpbmcgbm8gY29uY3Jl
dGUgb24gYnkgd2hvbSB0aGUgZmlsZXMgd2VyZSBtb2RpZmllZC4NCg0KSW4gc29tZSBjb250ZXh0
cywgaXQgd291bGQgZXZlbiBiZSBwb3NzaWJsZSB0byBmYWxzaWZ5IHJlY29yZHMgaW4gYW4gYXR0
ZW1wdCB0byAnZnJhbWUnIGEgcGFydGljdWxhciB1c2VyIHdpdGggY2hhbmdlcy4NCg0KQWRkaXRp
b25hbGx5LCBzb21lIHByZWxpbWluYXJ5IHRlc3Rpbmcgb24gdGhlIGFjY3VzZXIuZGF0IGZpbGUg
ZGlzcGxheWVkIGFuIGFsYXJtaW5nIGNvcnJlbGF0aW9uIGJldHdlZW4gY2VydGFpbiBzZWN0aW9u
cyBvZiB0aGUgZmlsZSBhbmQgdGhlIHBhc3N3b3JkcyBjaG9zZW4uIEZvciBleGFtcGxlLCBnaXZl
biBhIGdyb3VwIG9mIHVzZXJzIHdpdGggY2hvc2VuIHBhc3N3b3JkcyAiQUFBQUFBQUEiLCAiQkJC
QkJCQkIiLCAiQ0NDQ0NDQ0MiLCAiREREREREREQiLCBhbmQgIkFCQ0RFRkdIIiwgdGhlIGZvbGxv
d2luZyBzdHJpbmdzIHdlcmUgZm91bmQgaW4gdGhlIGZpbGU6ICJzc3Nzc3NzcyIsICJ0dHR0dHR0
dCIsICJ1dXV1dXV1dSIsICJ2dnZ2dnZ2diIsIGFuZCAic3R1dnd4eXoiLg0KDQozLiBJTVBBQ1QN
Cg0KVXNlcnMgbWF5IG5vdCByZWx5IG9uIHRoZSBhcHBsaWNhdGlvbiBsZXZlbCBjb250cm9scyBp
bXBsZW1lbnRlZCBieSB0aGUgUGFzdGVsIEFjY291bnRpbmcgcGFja2FnZS4NCg0KQXMgbm8gcmVs
aWFuY2UgbWF5IGJlIHBsYWNlZCBvbiBhcHBsaWNhdG9uIGxldmVsIGNvbnRyb2xzLCBhdWRpdG9y
cyBtdXN0IGF1ZGl0IGFyb3VuZCB0aGUgYXBwbGljYXRpb24uDQoNCg0KNC4gRklYDQoNCk5vbmUg
YXMgb2YgeWV0LiBWZW5kb3Igbm90aWZpZWQuDQoNCjUuIFdITyBBUkUgQkxBUUhBVFo/DQpibGFx
aGF0eiBhcmU6DQoNCiAgICAgICAgICAgICAgICBwaGVlciAtIHBoZWVybGVzcw0KIC0gc2thbmt5
dm9udHJhc2hiYWcgLSBza2Fua2V0dGUgLSBueWFtYV96aW50byAtDQogcm9kLWJvaSAtIHBoZWVy
ZWQgLSBtaW5pYnl0ZSAtIHdob290IC0gcG9mbXVpcw0KDQoNCj09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSAtLWJs
YXFoYXR6LXBoMzNyLWJsYXFoYXR6LXBoMzNyLWJsYXFoYXR6LXBoMzNyLWJsYXFoYXR6LXBoMzNy
LWJsYXFoYXR6LS0NCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KDQoNCiAgICAgICAgICAgISEjQGowMU4gYmxh
cWhhdHogdDBENHkhIUAjDQoNCg0KIG1haWx0bzpleWUuYW0ubGVldC5leWUuc3dlYXJAYmxhcWhh
dHouemEubmV0DQoNCnRlbGxpbmcgdXMgd2hvIGFuZCB3aGF0IHlvdSBhcmUgYW5kIHdpdGggYSBn
b29kIHJlYXNvbiBhcyB0byB3aHkgeW91IHRoaW5rIHlvdSdyZSBsZWV0IGVub3VnaCB0byBqb2lu
IGJsYXFoYXR6DQoNCiAgICAgICAgICAgICAgV2h5IHNob3VsZCBJIGpvaW4/DQoNCjEuIEV2ZXJ5
b25lIGVsc2UgdGhpbmtzIGJsYXFoYXR6IDB3bi4NCjIuIGJsYXFoYXR6IGhhdmUgYmVlbiBpbnRl
cnZpZXdlZCBieSBtb3JlIGludGVybmF0aW9uYWwgbGVnYWwgYXV0aG9yaXRpZXMsIHNlZW4gdGhl
IGluc2lkZSBvZiBtb3JlIG5ldHdvcmtzIGFuZCBtb3JlIHRlbGNvJ3MsIGJlZW4gb24gbW9yZSB0
ZWxldmlzaW9uIHNob3dzLCBiZWVuIGFza2VkIHRvIGFzc2lzdCBtb3JlIG5hdGlvbmFsIGludGVs
bGlnZW5jZSBhZ2VuY2llcyBhbmQgc2tld2xlZCBtb3JlIHBlb3BsZSB0aGFuIGFueSBvdGhlciBn
cm91cC4gKipibGFxaGF0eiBhcmUgKnRoZSogYXV0aG9yaXR5IG9uIG1vZGVybiBpbmZvcm1hdGlv
biBzZWN1cml0eSoqIDMuIFdlJ3JlIG5pY2UgcGVvcGxlLiA0LiBZb3UgY2FuIGdldCAgc2VrcmV0
LCBibGFxaGF0eiB3YXJleiwgZm9yIGZyZWUsIGp1c3QgZm9yIGFwcGx5aW5nLiA1LiBZb3UgdmFs
dWUgc2VjdXJpdHkgYW5kIDBkYXkuIFlvdSBiZWxpZXZlIGluIGZyZWVkb20gb2YgaW5mb3JtYXRp
b24uIFlvdSBiZWxpZXZlIGluIGhlbHBpbmcgb3RoZXJzIGhlbHAgdGhlbXNlbHZlcy4gYmxhcWhh
dHogd2lsbCBoZWxwIHlvdSBhY3QgdG8gbWFrZSB5b3VyIGJlbGllZnMgYSByZWFsaXR5LiA2LiBX
ZSdyZSBvbmx5IGFjY2VwdGluZyBuZXcgbWVtYmVyIGFwcGxpY2F0aW9ucyB1bnRpbCB0aGUgOXRo
IG9mIHRoZSAzcmQsIDIwMDAgJiAzLCBvbiBhIGZpcnN0IGNvbWUsIGZpcnN0IHNlcnZlZCBiYXNp
cy4gQWxsIG1lbWJlcnMgd2lsbCBuZWVkIHRvIGJlIGFwcHJvdmVkIGJ5IHRoZSBlbGl0ZSBibGFx
aGF0eiBib2FyZC4NCg0KQmlnIHVwcywgc2hvdXQgb3V0cyBhbmQgc2VyaW91cyBydXNwZWsgZ28g
dG86DQp+ZWw4LCBCb1csICNoYXZvaywgcGhyYWNrLm9yZywga291cmllcnMgNCBjaHJpc3QsICNo
YWNrIGtyZXcsIG9sZHNrZXdsIGVmbmV0ICNwaHJlYWtHRVIsIGVmZmtheSwgYXJjbGlnaHQsIG1h
ZWxzdHJvbSwgZ2FuamFfbWFuLCBzY2F2ZW5nZXIsIG1pbmRiaW5kZXIsIHJhdyBsaXF1aWQsIHRv
bmVkZWYsIHkweTB5MCBhbmQgYzAuDQoNCnIwcWluJyAxdCBpTiAydzAtZDB1YmwzLTBoLXRocjMz
ISEhQCMNCg0KDQotLS0tLUJFR0lOIFBQUCBTSUdOQVRVUkUtLS0tLQ0KVmVyc2lvbjogUFBQIDMu
MC4zIGQzNGRjMGQzNWY0ZGQzNGRjMGQzNWY0ZGQzNGRjMGQzNWY0ZGQzNGRjMGQzNWY0ZA0KZDAx
MzM3YzBkMTM1ZDAxMzM3YzBkMTM1ZDAxMzM3YzBkMTM1ZDAxMzM3YzBkMTM1DQotLS0tLUVORCBQ
UFAgU0lHTkFUVVJFLS0tLS0gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fDQo=


--===WebMail_NextPart_2E638D65B7===--


[Excerpt of Base64 encoded message]

PRODUCT: PASTEL ACCOUNTING v6.0-6.12 (confirmed)
         earlier versions (suspected)


1. BACKGROUND

Pastel Accounting is an accounting package widely used by small business entities in countries in Africa, Europe, the Middle and Far East and Australasia. 
The Pastel product includes a facility for secure access to specific modules within the product.

Further information is available @ http://www.pastel.com


2. PROBLEM DESCRIPTION

The security system and application controls used by the Pastel product are broken.

All user and security information is stored with the file "ACCUSER.DAT" within the chosen client folder. 
No data is encrypted with any information within this file, nor is any version/validity checking done against this file.

As such, it is possible to replace the ACCUSER.DAT file with one from a different set of accounts, with known usernames and passwords, access and modify the 
data stored within a specific set of accounts and then restore the original file, thus providing no concrete on by whom the files were modified.

In some contexts, it would even be possible to falsify records in an attempt to 'frame' a particular user with changes.

Additionally, some preliminary testing on the accuser.dat file displayed an alarming correlation between certain sections of the file and the passwords chosen. 
For example, given a group of users with chosen passwords "AAAAAAAA", "BBBBBBBB", "CCCCCCCC", "DDDDDDDD", and "ABCDEFGH", the following strings were found 
in the file: "ssssssss", "tttttttt", "uuuuuuuu", "vvvvvvvv", and "stuvwxyz".

3. IMPACT

Users may not rely on the application level controls implemented by the Pastel Accounting package.

As no reliance may be placed on applicaton level controls, auditors must audit around the application.


4. FIX

None as of yet. Vendor notified.

5. WHO ARE BLAQHATZ?
blaqhatz are:

                pheer - pheerless
 - skankyvontrashbag - skankette - nyama_zinto -
 rod-boi - pheered - minibyte - whoot - pofmuis

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC