COMMAND

    AOL (America Online Token Hole)

SYSTEMS AFFECTED

    AOL

PROBLEM

    Kevin Mack found  out that by  sending the "Rw"  token to the  AOL
    host while signed on along  with the object's internal id  as arg,
    any user could get detailed  info about any object on  the system.
    Included in this  information is the  user who created  the object
    and tons of  other information like  its current viewrule  and AOL
    url.   Normally only  internal users  are allowed  such access for
    security reasons.  Using this exploit, anyone can see headings  in
    AOL's  Network   Operations  Center   and  look   at  user   count
    information and AOL mothly profits before they are even  released.
    AOL put all there stuff  online...  Anyways the hole  still exists
    but is windowed for only about an hour a day.  No clue why and  it
    seems random (despite the fact that was fixed)...  For example  on
    July 7th  it existed  between 6:30-7:30PM  EST.   Here is a sample
    FDO88/91 that will create a button  to the send the Rw token  with
    arg and help you exploit...  fill the internal id with  any number
    you wish to see..

        man_start_object < trigger, "" >
        mat_relative_tag < 22 >
        act_replace_select_action
        <
        uni_start_stream
        sm_send_token_arg <"Rw", INTERNAL ID HERE>
        uni_end_stream
        >
        mat_precise_x < 0 >
        mat_precise_y < 226 >
        mat_font_sis < small_fonts, 7, normal>
        mat_art_id < 1-0-21184 >
        mat_bool_default < yes >
        man_end_object

    Programmable  AOL   buttons  are   written  in   FDO(Form  Display
    Operation).   You  can  compile  these  forms  using  AOL's Visual
    Publisher Designer tool.   The Rw token exploit was discovered  in
    early  1998  by  Slushie  and  Uaert,  not  by  this Mackk person.
    The Rw token  was used when  AOL accounts with  Rainman publishing
    rights had access  to two or  more Rainman Groups.   Since objects
    could  have  the  same  external  ID  and  be in different Rainman
    Groups,  AOL  designed  the  Rw  token  to allow you to choose the
    particular Rainman  Group you  wanted the  EOI feedback  displayed
    from.  After AOL patched the Rw in early 1998, Rainman users  were
    no longer able  to get a  list of all  the objects using  the same
    external ID.  Instead  they had to type  in the Rainman group  AND
    the external ID  in order to  view the EOI  feedback i.e "1928.tos
    blah"

SOLUTION

    AOL officially fixed the hole,  but I'm not sure what's  with that
    1h our  exploit period.   Of course,  this is  AOL we  are talking
    about and they  are not known  for running the  most efficient and
    secure service.