Vulnerability in Amtote International homebet self service wagering system.

["Gary O'leary-Steele" <GaryO () sec-1 com>]

Product Description:

Internet-based account wagering  interface utilizing HTML and JAVA web based
applications. The HTML functionality includes viewing current account
balances, viewing current odds by track, placing wagers, reviewing wagers,
and viewing official results/prices by track. The JAVA application is
designed for faster single-screen wagering and also allows for viewing
account balances and current odds by selected track.

Vulnerability description;

1.      Account and pin combination authentication.

On the machine we tested the login page
http://target/homebet/homebet.dll?form=menu&option=menu-signin relies on a
two numeric components to authenticate, an account number and a 4 digit pin
code. One of the main problems (apart from the fact the auth is passed in
plain text) is that the error page for bad account number is different from
the page for bad pin number and therefore the combination is easily brute
forced. a perl script to find valid account numbers can be found at
http://www.sec-1.com/ba.pl (sorry for the lameness of this script but I
didn't spend much time on it after I found vulnerability number 2 see below)

2.      Read access to homebet.log

The machine we tested was installed on a IIS 4 and was vulnerable to RDS
which allowed use to do a bit of exploring. A log file containing account
and pin numbers is stored in a the /homebet/ virtual directory. e.g.
http://target/homebet/homebet.log this file contains all the info needed to
go gambling other peoples money. Script to print accounts and pins from
downloaded log file here http://www.sec-1.com/homebetlog.pl



Vendor status:   Reported
Workaround:

Change ACL on homebet.log to no access for IUSER accounts.




Gary O'leary-Steele
Technical Consultant



Email:         GaryO () sec-1 com
Web Site:      www.sec-1.com

----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------
The contents of this Email may be privileged and are confidential. It may
not be disclosed to or used by anyone other than the addressee(s), nor
copied in any way. If received in error, please advise the sender, then
delete from your system.

The opinions expressed within this email represent those of the individual
and not necessarily those of Sec-1 ltd.

Should you wish to use Email as a mode of communication, Sec-1 ltd are
unable to guarantee the security of Email content outside of our own
computer systems.
----------------------------------------------------------------------------
------------------------------------