Vulnerability

    SpyAnywhere

Affected

    SpyAnywhere

Description

    Following  is  based  on   a  Strumpf  Noir  Society   Advisories.
    Spytech's SpyAnywhere  application is  a remote  PC monitoring and
    administration package for the MS Windows OS.

    The SpyAnywhere application  allows a user  to remotely control  a
    system through  a HTTP  daemon listening  on a  user-defined port.
    The problem lies  in the authentication  of such a  session, where
    the authentication data is not correctly validated.

    During login the user is  presented with a form which  submits the
    variables  "loginpass",  "redirect"  and  "submit" to the function
    "pass".   More precisely,  this is  done by  passing a  URL to the
    server such as below:

        http://targethost:port/pass?loginpass=***INSERT PASSWORD HERE***&redirect=0%2F&Submit=Login

    The password is sent plaintext.  Also the "redirect" and  "submit"
    variables  are  predefined,  so  all  authentication  is basically
    done using  only one  variable, which  could allow  for the use of
    brute-force techniques.

    More  interesting  however,  is  replacing  the ***INSERT PASSWORD
    HERE*** with a single  character, thus basically submitting  a one
    character password,  any one  character password,  to the  server.
    This will authenticate  the user as  the system's admin  no matter
    what the actual password is.

    This will provide an attacker with to name a few features:
    - Remote Application/Task Management and Viewing
    - Remote File System Navigation and Management
    - Remote System Shutdown/Restart/Logoff

    on the system running SpyAnywhere.

    This was tested against SpyAnywhere 1.50 on Win2k.

Solution

    The vendor has acknowledged the issue, which will be addressed  in
    SpyAnywhere version 2.0 to be released this summer.