Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SpyAnywhere Authentication Bypassing Vulnerabilities

From: SNS Research <vuln-dev () greyhack com>
Date: Tue, 22 May 2001 17:32:53 +0200
Strumpf Noir Society Advisories
! Public release !
<--#


-= SpyAnywhere Authentication Bypassing Vulnerabilities =-

Release date: Tuesday, May 22, 2001


Introduction:

Spytech's SpyAnywhere application is a remote PC monitoring 
and administration package for the MS Windows OS.

SpyAnywhere can be obtained from: http://www.spytech-web.com


Problem:

The SpyAnywhere application allows a user to remotely control 
a system through a HTTP daemon listening on a user-defined port. 
The problem lies in the authentication of such a session, where
the authentication data is not correctly validated.

During login the user is presented with a form which submits the 
variables "loginpass", "redirect" and "submit" to the function 
"pass". More precisely, this is done by passing a URL to the server 
such as below:

http://targethost:port/pass?loginpass=***INSERT PASSWORD HERE***
&redirect=0%2F&Submit=Login

The password is sent plaintext. Also the "redirect" and "submit" 
variables are predefined, so all authentication is basically 
done using only one variable, which could allow for the use of 
brute-force techniques.

More interesting however, is replacing the ***INSERT PASSWORD 
HERE*** with a single character, thus basically submitting a one 
character password, any one character password, to the server. 
This will authenticate the user as the system's admin no matter 
what the actual password is. 

This will provide an attacker with to name a few features: 

- Remote Application/Task Management and Viewing
- Remote File System Navigation and Management
- Remote System Shutdown/Restart/Logoff

on the system running SpyAnywhere.


(..)


Solution:

The vendor has acknowledged the issue, which will be addressed in
SpyAnywhere version 2.0 to be released this summer.

This was tested against SpyAnywhere 1.50 on Win2k.


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!
Previous By Date Next
Previous By Thread Next

Current thread: