------------------------------------------------------------------
          - EXPL-A-2003-013 exploitlabs.com Advisory 013
------------------------------------------------------------------
                         -= Naviscope =-




Donnie Werner
morning_wood@exploitlabs.com
July,8 2003



Product:
--------
Naviscope v8.70
http://www.naviscope.com/


Vunerability(s):
----------------
1. Local DoS
2. OEM ID Transmission



Reviews:
--------
http://www.naviscope.com/awards.htm


Description of product:
-----------------------
"Naviscope is a powerful Web Accelerator and complete package
 of Internet Tools."

http://www.naviscope.com/dnload.htm



VUNERABILITY / EXPLOIT
======================
by default Naviscope binds to 0.0.0.0:81

connecting to http://127.0.0.1:81 causes Naviscope to loop, taking CPU use to
100% and opening up hundreds of connections to itself.

naviscope sets IE to proxy through 127.0.0.1:81 upon execution (by default)
it does not return the browser ( IE ) to its pre-execution default state, rendering browsing useless
until reactivation, or manually adjusting the proxy setting in IE


it also connects to http://naviscope.com and sends 

v=0870&r=00&s=[BAD9]&k=[       ]&exeid=0&FB=1&winser=[WINDOWS-PRODUCTID]

where WINDOWS-PRODUCTD is the value of 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId



Local:
------
yes

Remote:
-------
not verified

Vendor Fix:
-----------
No fix on 0day



Vendor Contact:
---------------
Concurrent with this advisory
feedback@naviscope.com

Credits:
--------
Donnie Werner
http://exploitlabs.com

Original Advisory may be read at:
http://exploitlabs.com/files/advisories/EXPL-A-2003-013-naviscope.txt