mailing list archives
SpyAnywhere Authentication Bypassing Vulnerabilities
From: SNS Research <vuln-dev () greyhack com>
Date: Tue, 22 May 2001 17:32:53 +0200
Strumpf Noir Society Advisories
! Public release !
-= SpyAnywhere Authentication Bypassing Vulnerabilities =-
Release date: Tuesday, May 22, 2001
Spytech's SpyAnywhere application is a remote PC monitoring
and administration package for the MS Windows OS.
SpyAnywhere can be obtained from: http://www.spytech-web.com
The SpyAnywhere application allows a user to remotely control
a system through a HTTP daemon listening on a user-defined port.
The problem lies in the authentication of such a session, where
the authentication data is not correctly validated.
During login the user is presented with a form which submits the
variables "loginpass", "redirect" and "submit" to the function
"pass". More precisely, this is done by passing a URL to the server
such as below:
http://targethost:port/pass?loginpass=***INSERT PASSWORD HERE***
The password is sent plaintext. Also the "redirect" and "submit"
variables are predefined, so all authentication is basically
done using only one variable, which could allow for the use of
More interesting however, is replacing the ***INSERT PASSWORD
HERE*** with a single character, thus basically submitting a one
character password, any one character password, to the server.
This will authenticate the user as the system's admin no matter
what the actual password is.
This will provide an attacker with to name a few features:
- Remote Application/Task Management and Viewing
- Remote File System Navigation and Management
- Remote System Shutdown/Restart/Logoff
on the system running SpyAnywhere.
The vendor has acknowledged the issue, which will be addressed in
SpyAnywhere version 2.0 to be released this summer.
This was tested against SpyAnywhere 1.50 on Win2k.
Free sk8! (http://www.freesk8.org)
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
- SpyAnywhere Authentication Bypassing Vulnerabilities SNS Research (May 22)