-- Corsaire Security Advisory --

Title: Danware NetOp Host multiple information disclosure issues
Date: 19.06.04
Application: Danware NetOp prior to 7.65 build 2004278
Environment: Windows NT/2000/2003/XP/98
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General release
Reference: c040619-001


-- Scope --

The aim of this document is to clearly define several vulnerabilities in 
the NetOp Host product, as supplied by Danware Data A/S [1], that 
disclose information about the host that would be of use to an attacker.


-- History --

Discovered: 19.06.04 (Martin O'Neal)
Vendor notified: 23.06.04
Document released: 19.11.04


-- Overview --

The Danware NetOp Host and Guest products provide remote control 
capabilities for a variety of operating systems. The data exchange 
between the Guest and Host can be protected by both authentication and 
encryption, but even with these options enabled the NetOp proprietary 
protocol can still disclose the hostname, username and local IP address 
of the host system.


-- Analysis --

The NetOp Host and Guest products use a number of standard transport 
protocols (such as UDP, TCP and IPX) to encapsulate a proprietary data 
exchange through which remote control services are provided. This 
proprietary exchange can be protected by a number of optional features, 
such as authentication and data encryption. However, early on in the 
session initiation process (prior to both authentication and encryption 
being enforced), it is still possible for the hostname, username and 
local IP address of the host system to be disclosed.

If a valid NetOp HELO request is sent to the host, then it responds with 
a packet that may contain one or more of the NetOp hostname, username 
and local IP address value. Although the hostname option can be 
overridden, the default setting is to "use Windows computer name". If 
enabled, the username returned will be the name of the current logged in 
user (if any). Additionally, if the system is protected by a firewall or 
other device that provides NAT services between private and public 
address ranges, then the private addressing information will be 
disclosed. 

The NetOp products provide an option to disable making this information 
public, however in versions prior to 7.65 build 2004278 this does not 
work as intended, and can be bypassed with the use of a custom HELO 
request. 

Although none of these disclosures are critical in themselves, they
provide additional information that may be combined with other
vulnerabilities to launch further attacks against the host.


-- Recommendations --

Upgrade to NetOp 7.65 build 2004278. 

Under the options "Host Name" tab, uncheck the "Public Host name" option.

If upgrading to NetOp 7.65 build 2004278 is not feasible, the following
workaround eliminates most disclosures of the computer and user name,
but does not protect against disclosing the private addressing through a
NAT gateway:

Under the options "Host Name" tab, select the "Enter name or leave name 
field blank" radio button, and uncheck both the "Public Host name" and 
"Enable User Name" options.  In the name entry field then appearing on
the main program screen, actually leave the name field blank.

For those who are unsure if they have NetOp installed within their 
environment, or whether the configuration options are correctly 
configured, Corsaire (in collaboration with Danware) have provided a 
NASL signature for Nessus [2] that will provide the appropriate positive 
verification.  


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2004-0950 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardises names for 
security problems.


-- References --

[1] http://www.danware.com
[2] http://www.nessus.org


-- Revision --

a. Initial release.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2004 Corsaire Limited. All rights reserved.