OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: SNS Research (vuln-devgreyhack.com)
Date: Tue May 22 2001 - 10:32:53 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strumpf Noir Society Advisories
    ! Public release !
    <--#

    -= SpyAnywhere Authentication Bypassing Vulnerabilities =-

    Release date: Tuesday, May 22, 2001

    Introduction:

    Spytech's SpyAnywhere application is a remote PC monitoring
    and administration package for the MS Windows OS.

    SpyAnywhere can be obtained from: http://www.spytech-web.com

    Problem:

    The SpyAnywhere application allows a user to remotely control
    a system through a HTTP daemon listening on a user-defined port.
    The problem lies in the authentication of such a session, where
    the authentication data is not correctly validated.

    During login the user is presented with a form which submits the
    variables "loginpass", "redirect" and "submit" to the function
    "pass". More precisely, this is done by passing a URL to the server
    such as below:

    http://targethost:port/pass?loginpass=***INSERT PASSWORD HERE***
    &redirect=0%2F&Submit=Login

    The password is sent plaintext. Also the "redirect" and "submit"
    variables are predefined, so all authentication is basically
    done using only one variable, which could allow for the use of
    brute-force techniques.

    More interesting however, is replacing the ***INSERT PASSWORD
    HERE*** with a single character, thus basically submitting a one
    character password, any one character password, to the server.
    This will authenticate the user as the system's admin no matter
    what the actual password is.

    This will provide an attacker with to name a few features:

    - Remote Application/Task Management and Viewing
    - Remote File System Navigation and Management
    - Remote System Shutdown/Restart/Logoff

    on the system running SpyAnywhere.

    (..)

    Solution:

    The vendor has acknowledged the issue, which will be addressed in
    SpyAnywhere version 2.0 to be released this summer.

    This was tested against SpyAnywhere 1.50 on Win2k.

    yadayadayada

    Free sk8! (http://www.freesk8.org)

    SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
    compliant, all information is provided on AS IS basis.

    EOF, but Strumpf Noir Society will return!