[Full-Disclosure] Corsaire Security Advisory - Danware NetOp Host multiple information disclosure issues

From: advisories (advisories_at_corsaire.com)
Date: 11/19/04

  • Next message: Crotty, Edward: "RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox" 
    To: <full-disclosure@lists.netsys.com>
Date: Fri, 19 Nov 2004 17:43:05 -0000

    -- Corsaire Security Advisory --

    Title: Danware NetOp Host multiple information disclosure issues
    Date: 19.06.04
    Application: Danware NetOp prior to 7.65 build 2004278
    Environment: Windows NT/2000/2003/XP/98
    Author: Martin O'Neal [martin.oneal@corsaire.com]
    Audience: General release
    Reference: c040619-001

    -- Scope --

    The aim of this document is to clearly define several vulnerabilities in
    the NetOp Host product, as supplied by Danware Data A/S [1], that
    disclose information about the host that would be of use to an attacker.

    -- History --

    Discovered: 19.06.04 (Martin O'Neal)
    Vendor notified: 23.06.04
    Document released: 19.11.04

    -- Overview --

    The Danware NetOp Host and Guest products provide remote control
    capabilities for a variety of operating systems. The data exchange
    between the Guest and Host can be protected by both authentication and
    encryption, but even with these options enabled the NetOp proprietary
    protocol can still disclose the hostname, username and local IP address
    of the host system.

    -- Analysis --

    The NetOp Host and Guest products use a number of standard transport
    protocols (such as UDP, TCP and IPX) to encapsulate a proprietary data
    exchange through which remote control services are provided. This
    proprietary exchange can be protected by a number of optional features,
    such as authentication and data encryption. However, early on in the
    session initiation process (prior to both authentication and encryption
    being enforced), it is still possible for the hostname, username and
    local IP address of the host system to be disclosed.

    If a valid NetOp HELO request is sent to the host, then it responds with
    a packet that may contain one or more of the NetOp hostname, username
    and local IP address value. Although the hostname option can be
    overridden, the default setting is to "use Windows computer name". If
    enabled, the username returned will be the name of the current logged in
    user (if any). Additionally, if the system is protected by a firewall or
    other device that provides NAT services between private and public
    address ranges, then the private addressing information will be
    disclosed.

    The NetOp products provide an option to disable making this information
    public, however in versions prior to 7.65 build 2004278 this does not
    work as intended, and can be bypassed with the use of a custom HELO
    request.

    Although none of these disclosures are critical in themselves, they
    provide additional information that may be combined with other
    vulnerabilities to launch further attacks against the host.

    -- Recommendations --

    Upgrade to NetOp 7.65 build 2004278.

    Under the options "Host Name" tab, uncheck the "Public Host name" option.

    If upgrading to NetOp 7.65 build 2004278 is not feasible, the following
    workaround eliminates most disclosures of the computer and user name,
    but does not protect against disclosing the private addressing through a
    NAT gateway:

    Under the options "Host Name" tab, select the "Enter name or leave name
    field blank" radio button, and uncheck both the "Public Host name" and
    "Enable User Name" options. In the name entry field then appearing on
    the main program screen, actually leave the name field blank.

    For those who are unsure if they have NetOp installed within their
    environment, or whether the configuration options are correctly
    configured, Corsaire (in collaboration with Danware) have provided a
    NASL signature for Nessus [2] that will provide the appropriate positive
    verification.

    -- CVE --

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2004-0950 to this issue. This is a candidate for inclusion in
    the CVE list (http://cve.mitre.org), which standardises names for
    security problems.

    -- References --

    [1] http://www.danware.com
    [2] http://www.nessus.org

    -- Revision --

    a. Initial release.

    -- Distribution --

    This security advisory may be freely distributed, provided that it
    remains unaltered and in its original form.

    -- Disclaimer --

    The information contained within this advisory is supplied "as-is" with
    no warranties or guarantees of fitness of use or otherwise. Corsaire
    accepts no responsibility for any damage caused by the use or misuse of
    this information.

    -- About Corsaire --

    Corsaire are a leading information security consultancy, founded in 1997
    in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
    analytical rigour to every job, which means fast and dramatic security
    performance improvements. Our services centre on the delivery of
    information security planning, assessment, implementation, management
    and vulnerability research.

    A free guide to selecting a security assessment supplier is available at
    http://www.penetration-testing.com

    Copyright 2004 Corsaire Limited. All rights reserved.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Crotty, Edward: "RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox"