Corsaire Security Advisory - Danware NetOp Host multiple information disclosure issues
-- Corsaire Security Advisory --
Title: Danware NetOp Host multiple information disclosure issues
Date: 19.06.04
Application: Danware NetOp prior to 7.65 build 2004278
Environment: Windows NT/2000/2003/XP/98
Author: Martin O'Neal [martin.oneal@xxxxxxxxxxxx]
Audience: General release
Reference: c040619-001
-- Scope --
The aim of this document is to clearly define several vulnerabilities in
the NetOp Host product, as supplied by Danware Data A/S [1], that
disclose information about the host that would be of use to an attacker.
-- History --
Discovered: 19.06.04 (Martin O'Neal)
Vendor notified: 23.06.04
Document released: 19.11.04
-- Overview --
The Danware NetOp Host and Guest products provide remote control
capabilities for a variety of operating systems. The data exchange
between the Guest and Host can be protected by both authentication and
encryption, but even with these options enabled the NetOp proprietary
protocol can still disclose the hostname, username and local IP address
of the host system.
-- Analysis --
The NetOp Host and Guest products use a number of standard transport
protocols (such as UDP, TCP and IPX) to encapsulate a proprietary data
exchange through which remote control services are provided. This
proprietary exchange can be protected by a number of optional features,
such as authentication and data encryption. However, early on in the
session initiation process (prior to both authentication and encryption
being enforced), it is still possible for the hostname, username and
local IP address of the host system to be disclosed.
If a valid NetOp HELO request is sent to the host, then it responds with
a packet that may contain one or more of the NetOp hostname, username
and local IP address value. Although the hostname option can be
overridden, the default setting is to "use Windows computer name". If
enabled, the username returned will be the name of the current logged in
user (if any). Additionally, if the system is protected by a firewall or
other device that provides NAT services between private and public
address ranges, then the private addressing information will be
disclosed.
The NetOp products provide an option to disable making this information
public, however in versions prior to 7.65 build 2004278 this does not
work as intended, and can be bypassed with the use of a custom HELO
request.
Although none of these disclosures are critical in themselves, they
provide additional information that may be combined with other
vulnerabilities to launch further attacks against the host.
-- Recommendations --
Upgrade to NetOp 7.65 build 2004278.
Under the options "Host Name" tab, uncheck the "Public Host name" option.
If upgrading to NetOp 7.65 build 2004278 is not feasible, the following
workaround eliminates most disclosures of the computer and user name,
but does not protect against disclosing the private addressing through a
NAT gateway:
Under the options "Host Name" tab, select the "Enter name or leave name
field blank" radio button, and uncheck both the "Public Host name" and
"Enable User Name" options. In the name entry field then appearing on
the main program screen, actually leave the name field blank.
For those who are unsure if they have NetOp installed within their
environment, or whether the configuration options are correctly
configured, Corsaire (in collaboration with Danware) have provided a
NASL signature for Nessus [2] that will provide the appropriate positive
verification.
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0950 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.
-- References --
[1] http://www.danware.com
[2] http://www.nessus.org
-- Revision --
a. Initial release.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.
A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com
Copyright 2004 Corsaire Limited. All rights reserved.