Courtesy of Bob Free from the NT SysAdmin list..... Pepsi Bottlecap Liner Labeling Information Leak Vulnerability Advisory Location: http://dragos.com/pepsi.txt Release date: February 18, 2004 Severity: Pink (Free Music Downloads) Systems Affected: Diet Pepsi - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label) Pepsi - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label) Sierra Mist - 20 FL OZ Bottle (with "1 in 3 Wins a FREE Song" label) Description: During the Super Bowl, Apple and Pepsi co-launched an Ad campain giving away 100 Million songs via Apple's iTunes Music Store. Because of a vulnerability in the notification of the give-away, attackers can guarentee a free song in any Pepsi purchase. Pepsi uses an industry standard known as "bottlecap liner labeling", where the vendor includes notification of fun and prizes. This method of notification is vulnerable to a pre-purchase notification weakness, allowing attackers to limit their purchase to products that are known to be "winners" in the give-away. Technical Description: An attacker capable of obtaining physical access to a bottle prior to purchase may create a non-uniform probability distribution leading to predictable outcome. By causing the bottle to be inclined at a specific declination, the attacker may gain partial visibility into result variable thereby bypassing the natural selection process. This attack is not new. Prior soft drink distribution versions have been vulnerable to this attack in the past. Known vulnerable versions have included the Mountain Dew "Free Soda" give-aways. Protection: Vendors should put all Pepsi 20 OZ bottles in a vending machine, which should mitigate this attack by not allowing physical access before the attacker purchases the product. ISS users can add the following TRONS rule to detect this attack: alert bottle any any -> any any (msg:"pepsi attack"; tilt:>15; classtype:information-leak; priority:pink;) This rule may be used to identify downloads of known exploits: alert tcp any 80 -> any any (msg:"Pepsi exploit download"; content:"pepsi"; nocase; content:"tilt"; nocase; classification:exploit-download-attempt;) Vendor Status: The vendor has not been notified. Exploit: Exploits have been observed in the wild and are presumed to be in common use. A proof-of-concept exploit is available at: http://www.macmerc.com/news/archives/1270 Contributors: Ereet Hagiwara Brian Caswell Dragos Ruiu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html *** This Month Sponsored By: Network Security Inspector *** *** http://www.sunbelt-software.com/product.cfm?id=987 *** http://www.sunbelt-software.com/win-security_list_charter.htm Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: Greg Reese [mailto:GReese@xxxxxxxxxxxxxxxx] Sent: Friday, February 20, 2004 10:26 AM To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx Subject: [windows2000] OT: For those of you who are iTunes Fans Saw this on cnn.com and thought some of you may find if interesting. Enjoy! Greg From Cnn.com: http://www.cnn.com/2004/TECH/internet/02/19/pepsi.itunes.promotion/index.htm l Site posts low-tech hack for iTunes giveaway By Paulo Nogueira CNN (CNN) --Sharp eyes and a bit of patience paid off Thursday for iTunes fans who figured out a way to "hack" the popular music download service's Pepsi promotion. Jon Gales, who runs Macintosh-user site MacMerc.com, posted instructions this week on how to look into sealed Pepsi bottles and figure out which ones carry winning iTunes codes in their caps. "With luck, you should be able to see under the cap," said Gales, 19, a college student who discovered the trick by chance. "It takes a few minutes to get used to the angle... and you may have to twist the bottle." Apple Computer's iTunes service is giving away 100 million songs, a promotion that was launched with splashy Super Bowl TV ads featuring people sued for illegally sharing music online. One in three bottles is a winner, according to the rules. And the 10-digit code on a winning cap can be used to download a free song on iTunes.com. But when Gales discovered that by tilting the bottles he could beat the system, he was eager to share the trick. News of his Web site's illustrations and step-by-step instructions spread quickly on the Internet, which prompted his domain to crash briefly from the onslaught of visitors. "I was surprised the kind of traffic and the responses that it got," Gales said Thursday from his home in Tampa, Florida. "We were getting 30 hits a second and the database couldn't keep up." It takes a bit of squinting and some persistence, but Gales' suggestions work. Those who see the word "again" after tilting the bottle have a losing cap. But random letters and numbers means you have a winner. Pepsi-Cola spokesman Dave DeCecco said he wasn't aware of the trick until a reporter called him. "We always put redemption limits for promotions like these," he said. "But we've found that most consumers play by the rules." Apple's iTunes store, the most popular online music retailer, offers more than 500,000 songs for 99 cents each. Pepsi promotion winners can claim up to 10 songs per day and 200 tunes total during the giveaway, which ends March 31. But "you can sign up for another account," Gales said. ******************************************************** This Weeks Sponsor StressedPuppy.com Games Feeling stressed out? Check out our games to relieve your stress. http://www.StressedPuppy.com ******************************************************** To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm