SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SpyAnywhere Vendors:   Spytech Software and Design
SpyAnywhere Remote PC Monitoring and Management Software Allows Remote Users to Take Administrative Control of the Host
SecurityTracker Alert ID:  1001589
SecurityTracker URL:  http://securitytracker.com/id/1001589
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 23 2001
Impact:   Host/resource access via network, Root access via network

Version(s): tested on SpyAnywhere 1.50 on Windows 2000
Description:   SNS Research reported a vulnerability in the SpyAnywhere web-based remote PC monitoring and administration application for Microsoft Windows operating systems. The security hole allows remote users to take administrative control of the host.

The SpyAnywhere application reportedly allows a user to remotely control a host via a web server that listens on a user-defined port. It is reported that the system does not properly authenticate remote users.

Passwords are submitted in the clear, using a URL of the following format:

http://[targethost]:port/pass?loginpass=[password]&redirect=0%2F&Submit=Login

If a single character is supplied as the password, the remote user will be incorrectly authenticated as a system administrator, regardless of what the real password is. As system administrator via the SpyAnywhere system, the remote user can perform the following functions:

- Remote Application/Task Management and Viewing
- Remote File System Navigation and Management
- Remote System Shutdown/Restart/Logoff

Impact:   A remote user can take administrative control of the host via the SpyAnywhere system.
Solution:   No solution was available at the time of this entry. The vendor has reportedly acknowledged the issue, indicating that the vulnerability will be corrected in version 2.0.
Vendor URL:  www.spytech-web.com/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  SpyAnywhere Authentication Bypassing Vulnerabilities


Strumpf Noir Society Advisories
! Public release !
<--#


-= SpyAnywhere Authentication Bypassing Vulnerabilities =-

Release date: Tuesday, May 22, 2001


Introduction:

Spytech's SpyAnywhere application is a remote PC monitoring 
and administration package for the MS Windows OS.

SpyAnywhere can be obtained from: http://www.spytech-web.com


Problem:

The SpyAnywhere application allows a user to remotely control 
a system through a HTTP daemon listening on a user-defined port. 
The problem lies in the authentication of such a session, where
the authentication data is not correctly validated.

During login the user is presented with a form which submits the 
variables "loginpass", "redirect" and "submit" to the function 
"pass". More precisely, this is done by passing a URL to the server 
such as below:

http://targethost:port/pass?loginpass=***INSERT PASSWORD HERE***
&redirect=0%2F&Submit=Login

The password is sent plaintext. Also the "redirect" and "submit" 
variables are predefined, so all authentication is basically 
done using only one variable, which could allow for the use of 
brute-force techniques.

More interesting however, is replacing the ***INSERT PASSWORD 
HERE*** with a single character, thus basically submitting a one 
character password, any one character password, to the server. 
This will authenticate the user as the system's admin no matter 
what the actual password is. 

This will provide an attacker with to name a few features: 

- Remote Application/Task Management and Viewing
- Remote File System Navigation and Management
- Remote System Shutdown/Restart/Logoff

on the system running SpyAnywhere.


(..)


Solution:

The vendor has acknowledged the issue, which will be addressed in
SpyAnywhere version 2.0 to be released this summer.

This was tested against SpyAnywhere 1.50 on Win2k.


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC