exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Corsaire Security Advisory 2004-06-19.1

Corsaire Security Advisory 2004-06-19.1
Posted Nov 20, 2004
Authored by Martin O'Neal, Corsaire | Site penetration-testing.com

Corsaire Security Advisory - The aim of this document is to clearly define several vulnerabilities in the Danware NetOp Host product that suffers from multiple information disclosure issues.

tags | advisory, vulnerability, info disclosure
advisories | CVE-2004-0950
SHA-256 | 42db080f94b4a9d2053f5f711e043ba751541dcd77b4eb01d14059438cd13bce

Corsaire Security Advisory 2004-06-19.1

Change Mirror Download

-- Corsaire Security Advisory --

Title: Danware NetOp Host multiple information disclosure issues
Date: 19.06.04
Application: Danware NetOp prior to 7.65 build 2004278
Environment: Windows NT/2000/2003/XP/98
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General release
Reference: c040619-001


-- Scope --

The aim of this document is to clearly define several vulnerabilities in
the NetOp Host product, as supplied by Danware Data A/S [1], that
disclose information about the host that would be of use to an attacker.


-- History --

Discovered: 19.06.04 (Martin O'Neal)
Vendor notified: 23.06.04
Document released: 19.11.04


-- Overview --

The Danware NetOp Host and Guest products provide remote control
capabilities for a variety of operating systems. The data exchange
between the Guest and Host can be protected by both authentication and
encryption, but even with these options enabled the NetOp proprietary
protocol can still disclose the hostname, username and local IP address
of the host system.


-- Analysis --

The NetOp Host and Guest products use a number of standard transport
protocols (such as UDP, TCP and IPX) to encapsulate a proprietary data
exchange through which remote control services are provided. This
proprietary exchange can be protected by a number of optional features,
such as authentication and data encryption. However, early on in the
session initiation process (prior to both authentication and encryption
being enforced), it is still possible for the hostname, username and
local IP address of the host system to be disclosed.

If a valid NetOp HELO request is sent to the host, then it responds with
a packet that may contain one or more of the NetOp hostname, username
and local IP address value. Although the hostname option can be
overridden, the default setting is to "use Windows computer name". If
enabled, the username returned will be the name of the current logged in
user (if any). Additionally, if the system is protected by a firewall or
other device that provides NAT services between private and public
address ranges, then the private addressing information will be
disclosed.

The NetOp products provide an option to disable making this information
public, however in versions prior to 7.65 build 2004278 this does not
work as intended, and can be bypassed with the use of a custom HELO
request.

Although none of these disclosures are critical in themselves, they
provide additional information that may be combined with other
vulnerabilities to launch further attacks against the host.


-- Recommendations --

Upgrade to NetOp 7.65 build 2004278.

Under the options "Host Name" tab, uncheck the "Public Host name" option.

If upgrading to NetOp 7.65 build 2004278 is not feasible, the following
workaround eliminates most disclosures of the computer and user name,
but does not protect against disclosing the private addressing through a
NAT gateway:

Under the options "Host Name" tab, select the "Enter name or leave name
field blank" radio button, and uncheck both the "Public Host name" and
"Enable User Name" options. In the name entry field then appearing on
the main program screen, actually leave the name field blank.

For those who are unsure if they have NetOp installed within their
environment, or whether the configuration options are correctly
configured, Corsaire (in collaboration with Danware) have provided a
NASL signature for Nessus [2] that will provide the appropriate positive
verification.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0950 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.


-- References --

[1] http://www.danware.com
[2] http://www.nessus.org


-- Revision --

a. Initial release.


-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2004 Corsaire Limited. All rights reserved.



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close