Product Description: Internet-based account wagering interface utilizing HTML and JAVA web based applications. The HTML functionality includes viewing current account balances, viewing current odds by track, placing wagers, reviewing wagers, and viewing official results/prices by track. The JAVA application is designed for faster single-screen wagering and also allows for viewing account balances and current odds by selected track. Vulnerability description; 1. Account and pin combination authentication. On the machine we tested the login page http://target/homebet/homebet.dll?form=menu&option=menu-signin relies on a two numeric components to authenticate, an account number and a 4 digit pin code. One of the main problems (apart from the fact the auth is passed in plain text) is that the error page for bad account number is different from the page for bad pin number and therefore the combination is easily brute forced. a perl script to find valid account numbers can be found at http://www.sec-1.com/ba.pl (sorry for the lameness of this script but I didn't spend much time on it after I found vulnerability number 2 see below) 2. Read access to homebet.log The machine we tested was installed on a IIS 4 and was vulnerable to RDS which allowed use to do a bit of exploring. A log file containing account and pin numbers is stored in a the /homebet/ virtual directory. e.g. http://target/homebet/homebet.log this file contains all the info needed to go gambling other peoples money. Script to print accounts and pins from downloaded log file here http://www.sec-1.com/homebetlog.pl Vendor status: Reported Workaround: Change ACL on homebet.log to no access for IUSER accounts. Gary O'leary-Steele Technical Consultant Email: GaryO@sec-1.com Web Site: www.sec-1.com ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- ---------------- The contents of this Email may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. If received in error, please advise the sender, then delete from your system. The opinions expressed within this email represent those of the individual and not necessarily those of Sec-1 ltd. Should you wish to use Email as a mode of communication, Sec-1 ltd are unable to guarantee the security of Email content outside of our own computer systems. ---------------------------------------------------------------------------- ------------------------------------
