Home page logo

bugtraq logo Bugtraq mailing list archives

America Online Token Hole
From: mackk () RPI EDU (Kevin Mack)
Date: Thu, 8 Jul 1999 11:18:33 -0400

Normally I wouldn't post things of this nature, but I thought it was important enough. About a year ago, I found out 
that by sending the "Rw" token to the AOL host while signed on along with the object's internal id as arg, any user 
could get detailed info about any object on the system. Included in this information is the user who created the object 
and tons of other information like its current viewrule and AOL url. This was all great for about a week until AOL 
officially fixed the hole. Normally only internal users are allowed such access for security reasons. Using this 
exploit, anyone can see headings in AOL's Network Operations Center and look at user count information and AOL mothly 
profits before they are even released. AOL put all there stuff online...Anyways the hole still exists but is windowed 
for only about an hour a day. I have no clue why and it seems random... For example yesterday July 7th it existed 
between 6:30-7:30PM EST. Here is a sample FDO88/91 that will create a button to the send the Rw token w arg and help 
you exploit..fill the internal id with any number you wish to see..i do have a listing of interesting id if anyone 
wants to follow this further....and goodluck with the timing...

man_start_object < trigger, "" >
mat_relative_tag < 22 >
sm_send_token_arg <"Rw", INTERNAL ID HERE>

mat_precise_x < 0 > 
mat_precise_y < 226 > 
mat_font_sis < small_fonts, 7, normal> 
mat_art_id < 1-0-21184 >
mat_bool_default < yes > 

comments questions..   mackk () rpi edu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]