Article 37879 of alt.security: [Contest address included with Ameritel press release at end of message along with Olivers hack and vpage.ini] The Worldstar contest is more about "marketing" than it is about security. To change the rules because their system was defeated, only reveals this purpose, not to mention the damage to their reputation. If the VPage software is so secure then why don't they release the source for examination by cryptoanalysts as is/has been done with Java, PGP, SSL, SET etc? I see no reason to trust security from companies who won't release their code for review by cryptoanalysts, and who upon being "caught-out", change the rules to "protect" their reputations. The offer of $500. to Oliver only underscores this ploy, as no mention of this made in their press release. Why not? And, I wonder why they are so quiet on this issue, I'm sure someone there must read this group, if not, then they're really out to lunch. Or perhaps they think that denial and staying quiet will minimize the damage. Think again. Remember Intel's first response to the pentium bug? Also, why would they implement a new technology that will not be endorsed by those in the industry (ie, Visa, Mastercard, MS, HP, Sun et al) who are attempting to establish open verifiable credit transaction standards? Do they believe that thay can somehow supercede this technology? Before announcing this contest they should have made quite sure that neither I nor anyone else could freely download their .ini files or executable code which, in the hands of someone more talented than myself, no doubt would have spelled disaster. However I'm sure they got some valuable lessons from this little exercise, and have probably patched some of these holes. I charge $75.00 per hr, x4, that's $300. (If your reading this, email me and I'll tell you where to send the cheque.) All in all I'd say this marketing campaign was a complete failure. Can't wait to see what the press has to say. For anyone interested the "contest" is at:http://205.200.247.10 ________________WorldStar Press Release Excerpt____________________ [Dated June 12/96 - the system was compromised June 14/96 by iceman@MBnet.MB.CA (Oliver Friedrichs) Can you hack it? By Paul McKie Business Reporter ATTENTION ALL HACKERS. A Winnipeg computer company believes it has the world's best security system for the Internet and is challenging everyone to prove it wrong. As of last night, World Star Holdings Ltd, is daring anyone in the world to break through its security system and open a door located on its World Wide Web site. If you succeed, there's a $50,000 reward. It's being called Cybertest '96 and Jason Beck, World Star's marketing and communications manager, says while hackers usually fear jail terms for getting into a company's computer systems, World Star wants to tap into their talents to make its products better. Confident: Brian Greenberg, World Star president, said they are confident no one will break into the system, protected by VPAGE, a software package created by Michael Burke and a team of computer technicians in Winnipeg. "We'd probably hire that person," said Beck Beck and Greenberg have offered a $50,000 reward to successful hacker. World Star's web site is at http://205.200.247.10 and features a steel door. For the last few weeks a clock has counted down the time before the challenge begins. Last night the door opened revealing another door. That's the one World Star says can't be opened It's a publicity stunt but Greenberg said the company is ready to show the world the state of the art software. _______________________Oliver's Hack_______________________ VPAGE ~~~~~ The product which is being developed by World Star Holdings Inc. is known as VPAGE. VPAGE is essentially a package designed to allow dynamic creation of web pages when a user selects a link on their server. Before delivering the web page to the user, security checks are done to ensure that the user is an authorized user. To support this dynamic delivery of web pages, an interpretive language known as MAPOL was developed. For each page, instead of having regular html documents, there are scripts which generate the page, after performing security checks. These scripts have an .mpl extension. The breakin ~~~~~~~~~~~ The hostname of the challenge server (205.200.247.10) was obtained via snmp. The hostname obtained was ZEUS. Using samba, it was easy to obtain a listing of filesystems which were being exported (now that we knew the hostname). # ./smbclient -L ZEUS -I 205.200.247.10 Initially on June 13, the following directories were directly mountable on host 205.200.247.10. The complete contents of these directories were accessible and easily modified by any user on the internet. (Not actual samba output, rather a DIR command). DOORCO~1 06-11-96 3:56p^M HTML 06-13-96 4:04a^M INI 06-13-96 3:04p^M SCRIPTS 06-13-96 9:08a^M SECURE 06-13-96 3:05p^M These directories were accessible via the netbios service, which offered unrestricted, unpassworded access to the system directories. Somewhere during the day of June 13, access was lost to the scripts and ini directories, however it remained for the html directory which contained html pages offered by the server. Windows NT does not easily allow any interaction with the operating system without having the system operator install a daemon to support this interaction. The dynamic design of VPAGE and the MAPOL scripting language made is possible to execute any Windows NT shell command, and obtain the output. The MAPOL language has an option to execute a shell command with the following syntax: PRINT SHELL("COMMAND.COM /C DIR /S C:\") By simply placing a .mpl script onto the server, it was possible to cause VPAGE to execute this script. VPAGE only looks in the scripts directory, however it was easily possible to force VPAGE to execute our own script in any other directory via: http://205.200.247.10/vpage3.exe?..\html\script.mpl When originally entering the challenge site via the initial web page, one is presented with a locked bank vault which requires an "account number" to pass through. The 101 digit account number to pass through the bank vault door was obtained by replacing a script called 'verify.mpl' which was originally used to compare the code entered by the user, with the passcode on the server. The verify.mpl script was modified to print out the passcode, and to succeed even if it was incorrect. At the bank teller window, one was presented with the following text: 'You have 10(ten) tries to break into an account in a 24 hour period. You must then wait 24 hours before you are eligible to try again.' The code obtained was: dkl14234rf3ew344idfr3j23qrfwojowqjoijo3481379491281 klj318912jo3j981oij3198u3k9ualsdjlkj289u492yaright After entering the code correctly, one was presented with a web page with the following text: 'CONGRATULATIONS!!! Please present the following statement to Ameritel.... 342423421237678679didn'tthinkyouwouldmakeittohere' No list of product codes and prizes were easily availible - perhaps hidden on another server and not referenced by this server. Any information stored on and passed by this server can be compromised in this case, if stored in encrypted form, it would still have to be unencrypted at some point. Within a day of contacting World Star Holdings Inc. this page was changed, and then stated: ^^^^^^^^^^^^^ ^^^^^^^ 'CONGRATULATIONS!!! You've made it through the entrance door! This establishes that you've got what it takes to take the CyberTest'96 Challenge. Good Luck!' (Which it will still state now when the 101 digit code is entered) No, the VPAGE software itself was not breached (however we have analyzed the software, and have come up with possible entry points). The entry points were weaknesses in their system setup - ones which anyone could have exploited with minimal knowledge of networking. I hereby certify that the above description is true, and that there are many reliable witnesses which can account for these events. A complete directory tree is availible which contains a listing of all files (including operating system) which were present on the system at the time of the breach. The actually breach occured from 00:01 A.M. June 14 until 5:00 A.M. June 14. Following is a listing of the root C:\ directory on the challenge server: Volume in drive C has no label Volume Serial Number is 9C3B-5A58 Directory of C:\ AMERITEL 06-14-96 4:01a ARJ EXE 104614 01-19-92 11:51p AUTOEXEC BAT 42 06-11-96 9:17a COMMAND COM 92870 07-11-95 9:50a CONFIG SYS 19 06-11-96 9:16a EMM386 EXE 125495 07-11-95 9:50a FTP 06-11-96 3:03p FTP_LOG 06-11-96 3:03p HAL DLL 48416 05-26-95 4:57a HIMEM SYS 32935 07-11-95 9:50a HTTP_LOG 06-12-96 12:15a I386 06-11-96 9:24a INI_FI~1 06-11-96 4:58p MOUSE COM 56408 03-10-93 6:00a MOUSE INI 53 12-21-94 12:06a PAGEFILE SYS 45088768 06-12-96 1:50p SMARTDRV EXE 45145 08-22-95 9:39a TEMP 06-13-96 1:36p USERS 06-11-96 1:20p WIN32APP 06-11-96 1:20p WINNT35 06-12-96 1:50p 21 file(s) 45594765 bytes 10-15 people were present when the correct account number was entered and the congratulations page was displayed. All web pages were printed out at the time they were displayed. I have been told that this completes 1/5th of the challange. I have been offered $500 by World Star Holdings Inc. however have not as of yet received payment. Oliver Friedrichs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Oliver Friedrichs MBnet System Administrator "UNIX doesn't have bugs, it just develops random features" ___________________________VPAGE.INI_________________________ ; ---------- ;SCRIPTS.INI ; ---------- ; ---------------------------------------------------------------------------- ; The COMMON section contains entries that are common across multiple scripts. ; However, certain entries which are common across multiple scripts are found ; under VPAGE3.EXE because VPAGE3.EXE requires these entries. ; ; Every script, such as PARK.MPL, can have its own section to store entries ; that are unique to that script. ; ---------------------------------------------------------------------------- [APPKEY] pagelist= [COMMON_FILE_SERVER] SERVBAK=\\ub-7\ SERVDEF=\\ub-7\ [DDE] SQL_FILE=c\lists\sql.ini INPUT_PATH= OUTPUT_PATH= SLEEP_TIME=1 TIME_OUT=3000 DELETE_DUN_RCV_FILE=YES STATUS_PATH=c\lists\ddestatus.ini [DEFAULT SERVER] SERVER=\\ub-7\c\html\ [IMAGES] BUTTON_BACK=BACK BUTTON_FORWARD=FORWARD BUTTON_HELP=HELP BUTTON_NEXT=NEXT BUTTON_SCREEN=SCREEN BUTTON_SEARCH=SEARCH BUTTON_SERVICE=SERVICE BUTTON_START=START BUTTON_TOP=TOP BUTTON_TSEARCH=TOPIC SEARCH [MACHINE ID] VPAGE=http://205.200.247.10 [PATHNAMES] AMENITY_FILE=c\lists\amenity.ini APPKEY_FILE=c\html\appkey\ ATTEMPTS=c\lists\attempt.ini AVAILABLE_ID=c\lists\user_id.ini BAD_IP=c\lists\bad_ip.ini CONFIRM_INI=c\lists\confirm.ini CREDIT_CARD_PAGE=c:\ameritel\secure\credit.htm DOOR_LISTS=doorlist\ DOOR_LOG=c\lists\entrance.log ENFORCE_FILE=c\lists\enforce.ini EXCLUDE_FILE=c\lists\exclude.ini FAX_FILE=\\UB-7\W95FAX-01\new\ FAX_FILE_BACKUP=\\UB-7\W95FAX-01\backup\ FAX2_FILE=\\UB-7\W95FAX-02\new\ FAX2_FILE_BACKUP=\\UB-7\W95FAX-02\backup\ FAX3_FILE=\\ub-7\W95FAX-01\new\ FAX3_FILE_BACKUP=\\ub-7\W95FAX-01\backup\ GUEST_FILE=c\html\guests\ HTML_PAGE_PATH=c:\ameritel\secure\ ID_PASSWORD=c\lists\id_pwd.ini INI_PATH=c:\ameritel\ini\ IP_AND_NAME=c\lists\ip_name.ini IP_NAME_ID=c\lists\ipidname.ini ID_EmpID=\\UB-7\c\lists\ID_EmpID.ini ISSUED_ID=c\html\register\reg_info\ LOGFILE_PATH=c:\ameritel\log\ LOCAL_TEMP_DIRECTORY=temp\ MAIL_PAGE=c:\ameritel\secure\mail_am.htm MESSAGE_LIST=c:\ameritel\secure\mes_list.htm NAME_LIST=c:\ameritel\secure\mailname.ini NEW_USER=c\lists\new_user.aml NEW_MESSAGE=c\lists\new_mes.aml READ_MAIL=c:\ameritel\secure\mailread.htm REG_LOG_FILE=c\lists\registration.log REGISTRATION_LOG=c\lists\reg_log.txt REPLY_MAIL=c:\ameritel\secure\reply_am.htm SCRIPT_PATH=C:\AMERITEL\SCRIPTS\ STAT_INI=c\lists\start.ini TEMP_FAX_FILE=\\UB-7\W95FAX-01\temp\ TEMP_FAX2_FILE=\\UB-7\W95FAX-02\temp\ TEMP_FAX3_FILE=\\ub-7\W95FAX-01\temp\ TRUSTED_IP=c\lists\trust_ip.ini USR_ID_FILE_PATH=C\HTML\REGISTER\ID_IP\ USR_ID_IP=c\lists\id_ip.aml USR_MAIL=c\HTML\MAIL\USERS\ USR_REGISTER=c\HTML\REGISTER\USERS\ YP_TOPIC_LIST=c\lists\YPTopic.lst YP_SEARCH_PAGE=c:\ameritel\secure\ypcasch.htm [SEARCH] H_AGENT_PAGES=Hotelna.htm, Hoteleu.htm, Hoteljp.htm, Hotelau.htm H_AGENT_SEARCH_PAGE=hotelsrc.htm H_SEARCH_PAGES=agentsch.htm, hotelsch.htm, hotcasch.htm, hotnasch.htm, hotelsrc.htm [SERVER] IP=205.200.247.10 NAME=ZEUS [TIME_OUT] AGENT_TIMEOUT=90 DEFAULT_TIMEOUT=10 [AM_VPAGE.MPL] APPKEY_PATH=C\HTML\APPKEY\ APPKEY=\\UB-7\C\HTML\APPKEY\ DEFAULT_BACKLINK= DEFAULT_BACKGROUND= EXE_AND_SCRIPT_NAME=/vpage3.exe/ GIF=jpg,gif JPG/=/gif/,/jpg/ JPG.=.gif,.jpg KEEP_LOG=No MAP=.map,~.map NO_IMAGE=img,xxx SERVER_IP=198.163.214.91,205.200.247.10 TIME_UPDATE_FILE=update.ini [PARK.MPL] PARKED_TIME=0 [CAR.MPL] SECURE_DIRECTORY=c:\ameritel\secure\ CAR_DIRECTORY=carental\car2.htm DELETE_DDE_FILES=YES FAX_TEST=YES [TICKET.MPL] SECURE_DIRECTORY=c:\ameritel\secure\ DELETE_DDE_FILES=YES FAX_TEST=YES [PROPERTY.MPL] PROPERTY_DIRECTORY=c\html\register\PropertyUsers\ SECURE_DIRECTORY=c:\ameritel\secure\property\ DELETE_DDE_FILES=NO DEFAULT_HTM=c\html\property\default HTM_DIRECTORY=c\html\property\htm