-- Corsaire Security Advisory -- Title: Danware NetOp Host multiple information disclosure issues Date: 19.06.04 Application: Danware NetOp prior to 7.65 build 2004278 Environment: Windows NT/2000/2003/XP/98 Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General release Reference: c040619-001 -- Scope -- The aim of this document is to clearly define several vulnerabilities in the NetOp Host product, as supplied by Danware Data A/S [1], that disclose information about the host that would be of use to an attacker. -- History -- Discovered: 19.06.04 (Martin O'Neal) Vendor notified: 23.06.04 Document released: 19.11.04 -- Overview -- The Danware NetOp Host and Guest products provide remote control capabilities for a variety of operating systems. The data exchange between the Guest and Host can be protected by both authentication and encryption, but even with these options enabled the NetOp proprietary protocol can still disclose the hostname, username and local IP address of the host system. -- Analysis -- The NetOp Host and Guest products use a number of standard transport protocols (such as UDP, TCP and IPX) to encapsulate a proprietary data exchange through which remote control services are provided. This proprietary exchange can be protected by a number of optional features, such as authentication and data encryption. However, early on in the session initiation process (prior to both authentication and encryption being enforced), it is still possible for the hostname, username and local IP address of the host system to be disclosed. If a valid NetOp HELO request is sent to the host, then it responds with a packet that may contain one or more of the NetOp hostname, username and local IP address value. Although the hostname option can be overridden, the default setting is to "use Windows computer name". If enabled, the username returned will be the name of the current logged in user (if any). Additionally, if the system is protected by a firewall or other device that provides NAT services between private and public address ranges, then the private addressing information will be disclosed. The NetOp products provide an option to disable making this information public, however in versions prior to 7.65 build 2004278 this does not work as intended, and can be bypassed with the use of a custom HELO request. Although none of these disclosures are critical in themselves, they provide additional information that may be combined with other vulnerabilities to launch further attacks against the host. -- Recommendations -- Upgrade to NetOp 7.65 build 2004278. Under the options "Host Name" tab, uncheck the "Public Host name" option. If upgrading to NetOp 7.65 build 2004278 is not feasible, the following workaround eliminates most disclosures of the computer and user name, but does not protect against disclosing the private addressing through a NAT gateway: Under the options "Host Name" tab, select the "Enter name or leave name field blank" radio button, and uncheck both the "Public Host name" and "Enable User Name" options. In the name entry field then appearing on the main program screen, actually leave the name field blank. For those who are unsure if they have NetOp installed within their environment, or whether the configuration options are correctly configured, Corsaire (in collaboration with Danware) have provided a NASL signature for Nessus [2] that will provide the appropriate positive verification. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0950 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www.danware.com [2] http://www.nessus.org -- Revision -- a. Initial release. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2004 Corsaire Limited. All rights reserved.