TUCoPS :: Windows Apps :: win6038.htm

Pastel accounting potential user compromise
4th Mar 2003 [SBWID-6038]
COMMAND

	Pastel accounting potential user compromise

SYSTEMS AFFECTED

	PASTEL ACCOUNTING v6.0-6.12 (confirmed), earlier versions (suspected)

PROBLEM

	In -ph33r-blaqhatz, advisory :
	
	
	blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-b
	l                                                                          l
	a      ,-.        ||||||  ||     //\\   /|||\  ||  ||  //\\ |||||| |||||/  a
	q     /`-'\       ||   )) ||    //  \\ ||   || ||  || //  \\  ||      //   q
	|  .-/     \-,    ||||<<  ||    /||||\ ||   || |||||| /||||\  ||     //    |
	b (  `.___.'  )   ||   )) ||    ||  || ||   || ||  || ||  ||  ||    //     b
	l  `. _____ .'    ||||||  ||||| ||  ||  \|||\\ ||  || ||  ||  ||   /|||||  l
	a                                            \\                            a 
	q-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq-blaq
	
	 
	 http://www.only4jewz.net/efil4zaggin/blaqhatz.advisory.20030303
	
	1. BACKGROUND
	
	Pastel  Accounting  is  an  accounting  package  widely  used  by  small
	business entities in countries in Africa, Europe,  the  Middle  and  Far
	East and Australasia. The Pastel product includes a facility for  secure
	access to specific modules within the product.
	
	Further information is available @ http://www.pastel.com
	
	
	2. PROBLEM DESCRIPTION
	
	The security system and application controls used by the Pastel  product
	are broken.
	
	All user and security information is stored with the file  "ACCUSER.DAT"
	within  the  chosen  client  folder.  No  data  is  encrypted  with  any
	information within this file, nor is any version/validity checking  done
	against this file.
	
	As such, it is possible to replace the ACCUSER.DAT file with one from  a
	different set of accounts, with known usernames  and  passwords,  access
	and modify the data stored within a specific set of  accounts  and  then
	restore the original file, thus providing no concrete  on  by  whom  the
	files were modified.
	
	In some contexts, it would even be possible to  falsify  records  in  an
	attempt to 'frame' a particular user with changes.
	
	Additionally,  some  preliminary  testing  on   the   accuser.dat   file
	displayed an alarming correlation between certain sections of  the  file
	and the passwords chosen. For example,  given  a  group  of  users  with
	chosen passwords "AAAAAAAA",  "BBBBBBBB",  "CCCCCCCC",  "DDDDDDDD",  and
	"ABCDEFGH", the following strings were found in  the  file:  "ssssssss",
	"tttttttt", "uuuuuuuu", "vvvvvvvv", and "stuvwxyz".

SOLUTION

	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH