How to bypass 3web ads

Renderman, 7/25/99
Www.hackcanada.com
RenderMan@Hackcanada.com


3web is a new dial-up ISP service available in the Edmonton and Calgary
areas. It is advertiser funded so there is no cost to you. They don't
take a credit card or even make you sign anything (except the usual "if
you continue you agree" license agreements we all know and hate), so this
service can also be completely anonymous. But now you're asking, "What's
the catch?"  The catch is that the top 6th of your browser is annoying
advertisements and you sign away some of your personal information. It's
totally free except for the annoying ad bar. Sure you can ctrl-alt-Del and
quit cydial95 (I'll get to this in a minute) then the 3web browser, but
that's a pain. The ad software is Win9X only, which raises the question,
"what if I want to use this great free service on a real OS, like linux or
BSD, or even a palm pilot?" Good question. Here's how.

The following information is meant for educational use, so don't actually
do this! I'm not sure if this borders on fraud or not (I'm no lawyer, nor
would I want to be). This is meant to teach you how not to use the windows
PWL files to store sensitive information for your own programs you write.
I would also hope that 3web would pickup on the fact that other OS's may
want to use this (nudge, nudge, wink, wink).

And here's The Windup:

You can get a setup CD from any Husky or Mohawk gas station for free w/
a 15L fill (you probably needed gas anyway). You can also download it
from http://www.3web.net (if you decide to download it, you will need to
get a registration # off of the site (see Note 1 at bottom!)
 
Run the setup program under Win9x (you only have to do this once) and
create a user and input the registration # as they say, just give bullshit
answers to the survey (do you ever enter your real info into registrations
anyways?).  You'll notice when it dials it says "Sending Disk ID". This is
total bull, I have tried this 5 times with separate downloads and have never
had any trouble with any secondary authentication. (See Note 1 at Bottom!)

You'll notice that a dial-up networking connection has been created as it's
dialing out. After you do that you should have a user name and number.  

To connect normally you launch the 3web application and the top 6th of your
browser is inhabited by the ads, then you hit connect and the program uses
the 3web dialer (cydial95.exe) with the passwords stored in the windows pwl
files to connect. Great, free dial-up net access, but what about those
annoying ads.  

3web took a very dumb approach to connecting. They use their own dialer
but store the login info in the vulnerable Windows pwl files with some
sneaky tricks. The user before you connect in the registry key
"HKEY_CURRENT_USER\RemoteAccess\Profile\3web" is "3web" and the encrypted
password decrypts to "3web". After the program finishes dialing, it changes
that user string to the actual username and password they really need to
be, authenticates, then connects.

And the hack:

Fire up regedit and go to the key
"HKEY_CURRENT_USER\RemoteAccess\Profile\3web" look at the user string,
it should say "3web" when you're not connected, and suddenly change
(after hitting F5) after you connect to an alphanumeric string. Copy
this new string down and disconnect.

After the 3web dialer drops the connection, the string goes back to
the old "3web" value. Now replace that key with the string value while
you were connected. This tricks the dialer to cache the password to
the new value, and not the old value. Fire up 3web again and dial out.

A program like pwlview (See Note 2 Below)
(http://www.soft4you.com/DownLoad/pwlview.zip) or the BO2K server
(www.BO2K.com) can easily extract this information.  Just fire up the
3web application first, then hit the connect button. While it's
connected, run one of these programs and it will list all the cached
system passwords, including the 3web one. (Pwlview should look like
Dial-up:'Username' Password:'Password', and BO2K will report Resource:
'*Rna\3web\XXXXXXXX'  Password: XXXXXXXXX')  If you want to learn more
about what is going on, check out Bandsaw's and my article on how windows
password caching works (www.hackcanada.com/homegrown/pwl.txt).

The phone # is easy to get, just go into your "My Computer" and the
"Dial Up Networking" click the 3web icon and copy the phone # listed in
there.

Just create a new dialup networking connection through windows, or however
you do it in your own choice of OS, use those l/p values you extracted and
you're in. It works great under any OS, even the Palm pilot. The 3web
service is great, it supports from 2400 - 56.6k and even ISDN lines, all
for free. Now you can get it without the advertisement catch.

An account generated with older versions won't be affected if they update
their client software, but unless they change their connection method and
cut off all their old users, they can just try and hide the password better
from prying eyes.

Please run the ads every so often, it would be a shame to lose this great
(free) service, they have to make money too you know, but not too much.


Notes:

1. This was tested with version 2.0 of the software off the CD and a
   download off the web (3webv230d.exe), (which was still available
   7/26/1999). When you run 3web and it asks you if you want to upgrade,
   say NO. They appear to have patched this vulnerability if you load that
   update, but the downloaded copy doesn't include it. Until I can run this
   update through its paces again, run on that assumption and don't load
   the update.

2. The demo of pwlview only extracts the first 2 passwords of a system and
   may not show the 3web account, making BO2K a much better choice in my
   opinion.


Thanks to Sir Dystic of the cDc for the hostile code speech at defcon 7
that gave me the idea to watch the registry for changes :-)


Renderman
7/25/99
Www.hackcanada.com
RenderMan@hackcanada.com
#2600ca on irc.2600.net