The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Danware NetOp Host Multiple Information Disclosure Issues
------------------------------------------------------------------------
SUMMARY
The <http://www.danware.com> Danware NetOp Host and Guest products
provide remote control capabilities for a variety of operating systems.
The data exchange between the Guest and Host can be protected by both
authentication and encryption, but even with these options enabled the
NetOp proprietary protocol can still disclose the hostname, username and
local IP address of the host system.
DETAILS
Vulnerable Systems:
* Danware NetOp versions prior to 7.65 build 2004278
Immune Systems:
* Danware NetOp version 7.65 build 2004278
The NetOp Host and Guest products use a number of standard transport
protocols (such as UDP, TCP and IPX) to encapsulate a proprietary data
exchange through which remote control services are provided. This
proprietary exchange can be protected by a number of optional features,
such as authentication and data encryption. However, early on in the
session initiation process (prior to both authentication and encryption
being enforced), it is still possible for the hostname, username and local
IP address of the host system to be disclosed.
If a valid NetOp HELO request is sent to the host, then it responds with a
packet that may contain one or more of the NetOp hostname, username and
local IP address value. Although the hostname option can be overridden,
the default setting is to "use Windows computer name". If enabled, the
username returned will be the name of the current logged in user (if any).
Additionally, if the system is protected by a firewall or other device
that provides NAT services between private and public address ranges, then
the private addressing information will be disclosed.
The NetOp products provide an option to disable making this information
public, however in versions prior to 7.65 build 2004278 this does not work
as intended, and can be bypassed with the use of a custom HELO request.
Although none of these disclosures are critical in themselves, they
provide additional information that may be combined with other
vulnerabilities to launch further attacks against the host.
Recommendations:
Upgrade to NetOp 7.65 build 2004278.
Under the options "Host Name" tab, uncheck the "Public Host name" option.
If upgrading to NetOp 7.65 build 2004278 is not feasible, the following
workaround eliminates most disclosures of the computer and user name, but
does not protect against disclosing the private addressing through a NAT
gateway:
Under the options "Host Name" tab, select the "Enter name or leave name
field blank" radio button, and uncheck both the "Public Host name" and
"Enable User Name" options. In the name entry field then appearing on the
main program screen, actually leave the name field blank.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0950>
CAN-2004-0950
ADDITIONAL INFORMATION
The information has been provided by <mailto:martin.oneal@corsaire.com>
Martin O'Neal.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
