[20739] in bugtraq
SpyAnywhere Authentication Bypassing Vulnerabilities
daemon@ATHENA.MIT.EDU (SNS Research)
Tue May 22 18:17:20 2001
Date: Tue, 22 May 2001 17:32:53 +0200
From: SNS Research <vuln-dev@greyhack.com>
Reply-To: SNS Research <vuln-dev@greyhack.com>
Message-ID: <17314252393.20010522173253@greyhack.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Strumpf Noir Society Advisories
! Public release !
<--#
-= SpyAnywhere Authentication Bypassing Vulnerabilities =-
Release date: Tuesday, May 22, 2001
Introduction:
Spytech's SpyAnywhere application is a remote PC monitoring
and administration package for the MS Windows OS.
SpyAnywhere can be obtained from: http://www.spytech-web.com
Problem:
The SpyAnywhere application allows a user to remotely control
a system through a HTTP daemon listening on a user-defined port.
The problem lies in the authentication of such a session, where
the authentication data is not correctly validated.
During login the user is presented with a form which submits the
variables "loginpass", "redirect" and "submit" to the function
"pass". More precisely, this is done by passing a URL to the server
such as below:
http://targethost:port/pass?loginpass=***INSERT PASSWORD HERE***
&redirect=0%2F&Submit=Login
The password is sent plaintext. Also the "redirect" and "submit"
variables are predefined, so all authentication is basically
done using only one variable, which could allow for the use of
brute-force techniques.
More interesting however, is replacing the ***INSERT PASSWORD
HERE*** with a single character, thus basically submitting a one
character password, any one character password, to the server.
This will authenticate the user as the system's admin no matter
what the actual password is.
This will provide an attacker with to name a few features:
- Remote Application/Task Management and Viewing
- Remote File System Navigation and Management
- Remote System Shutdown/Restart/Logoff
on the system running SpyAnywhere.
(..)
Solution:
The vendor has acknowledged the issue, which will be addressed in
SpyAnywhere version 2.0 to be released this summer.
This was tested against SpyAnywhere 1.50 on Win2k.
yadayadayada
Free sk8! (http://www.freesk8.org)
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
