CVE-2004-0950
CVSS5.0
发布时间 :2005-02-09 00:00:00
修订时间 :2008-09-05 16:39:54
NMCOPS    

[原文]NetOp Host before 7.65 build 2004278 allows remote attackers to obtain sensitive hostname, username and local IP address information via (1) a NetOp HELO request, or (2) when responses are disabled, a "custom" HELO request.


[CNNVD]Danware NetOp Host多个信息泄露漏洞(CNNVD-200502-028)

        Danware NetOp Host和Guest产品提供各种操作系统的远程控制功能,对交换数据进行验证和加密。
        Danware NetOp Host在交换初始化阶段通信处理存在问题,远程攻击者可以利用这个漏洞获得部分敏感信息。
        Danware NetOp Host和guest产品使用多种标准协议封装数据交换,虽然验证和数据等交换进行了加密,但是早期的会话初始化过程(在验证和加密之前)的通信会泄露主机名,用户名和本地IP地址等信息。
        如果一个合法的NetOp Helo请求发送给主机,应答的数据包中就会包含明文的NetOp主机名和用户名及本地IP地址信息。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:danware_data:netop:7.0.1_build2002-01-29
cpe:/a:danware_data:netop:7.60_build2003-06-24
cpe:/a:danware_data:netop:6.50
cpe:/a:danware_data:netop:7.50_build2003-08-04
cpe:/a:danware_data:netop:6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0950
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0950
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-028
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/11710
(VENDOR_ADVISORY)  BID  11710
http://xforce.iss.net/xforce/xfdb/18171
(UNKNOWN)  XF  danware-helo-obtain-information(18171)
http://www.corsaire.com/advisories/c040619-001.txt
(VENDOR_ADVISORY)  MISC  http://www.corsaire.com/advisories/c040619-001.txt
http://msgs.securepoint.com/cgi-bin/get/bugtraq0411/213.html
(UNKNOWN)  BUGTRAQ  20041119 Corsaire Security Advisory - Danware NetOp Host multiple information disclosure issues

- 漏洞信息

Danware NetOp Host多个信息泄露漏洞
中危 设计错误
2005-02-09 00:00:00 2005-10-20 00:00:00
远程  
        Danware NetOp Host和Guest产品提供各种操作系统的远程控制功能,对交换数据进行验证和加密。
        Danware NetOp Host在交换初始化阶段通信处理存在问题,远程攻击者可以利用这个漏洞获得部分敏感信息。
        Danware NetOp Host和guest产品使用多种标准协议封装数据交换,虽然验证和数据等交换进行了加密,但是早期的会话初始化过程(在验证和加密之前)的通信会泄露主机名,用户名和本地IP地址等信息。
        如果一个合法的NetOp Helo请求发送给主机,应答的数据包中就会包含明文的NetOp主机名和用户名及本地IP地址信息。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.danware.com/

- 漏洞信息 (F35102)

Corsaire Security Advisory 2004-06-19.1 (PacketStormID:F35102)
2004-11-20 00:00:00
Martin O'Neal,Corsaire  penetration-testing.com
advisory,vulnerability,info disclosure
CVE-2004-0950
[点击下载]

Corsaire Security Advisory - The aim of this document is to clearly define several vulnerabilities in the Danware NetOp Host product that suffers from multiple information disclosure issues.

-- Corsaire Security Advisory --

Title: Danware NetOp Host multiple information disclosure issues
Date: 19.06.04
Application: Danware NetOp prior to 7.65 build 2004278
Environment: Windows NT/2000/2003/XP/98
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General release
Reference: c040619-001


-- Scope --

The aim of this document is to clearly define several vulnerabilities in 
the NetOp Host product, as supplied by Danware Data A/S [1], that 
disclose information about the host that would be of use to an attacker.


-- History --

Discovered: 19.06.04 (Martin O'Neal)
Vendor notified: 23.06.04
Document released: 19.11.04


-- Overview --

The Danware NetOp Host and Guest products provide remote control 
capabilities for a variety of operating systems. The data exchange 
between the Guest and Host can be protected by both authentication and 
encryption, but even with these options enabled the NetOp proprietary 
protocol can still disclose the hostname, username and local IP address 
of the host system.


-- Analysis --

The NetOp Host and Guest products use a number of standard transport 
protocols (such as UDP, TCP and IPX) to encapsulate a proprietary data 
exchange through which remote control services are provided. This 
proprietary exchange can be protected by a number of optional features, 
such as authentication and data encryption. However, early on in the 
session initiation process (prior to both authentication and encryption 
being enforced), it is still possible for the hostname, username and 
local IP address of the host system to be disclosed.

If a valid NetOp HELO request is sent to the host, then it responds with 
a packet that may contain one or more of the NetOp hostname, username 
and local IP address value. Although the hostname option can be 
overridden, the default setting is to "use Windows computer name". If 
enabled, the username returned will be the name of the current logged in 
user (if any). Additionally, if the system is protected by a firewall or 
other device that provides NAT services between private and public 
address ranges, then the private addressing information will be 
disclosed. 

The NetOp products provide an option to disable making this information 
public, however in versions prior to 7.65 build 2004278 this does not 
work as intended, and can be bypassed with the use of a custom HELO 
request. 

Although none of these disclosures are critical in themselves, they
provide additional information that may be combined with other
vulnerabilities to launch further attacks against the host.


-- Recommendations --

Upgrade to NetOp 7.65 build 2004278. 

Under the options "Host Name" tab, uncheck the "Public Host name" option.

If upgrading to NetOp 7.65 build 2004278 is not feasible, the following
workaround eliminates most disclosures of the computer and user name,
but does not protect against disclosing the private addressing through a
NAT gateway:

Under the options "Host Name" tab, select the "Enter name or leave name 
field blank" radio button, and uncheck both the "Public Host name" and 
"Enable User Name" options.  In the name entry field then appearing on
the main program screen, actually leave the name field blank.

For those who are unsure if they have NetOp installed within their 
environment, or whether the configuration options are correctly 
configured, Corsaire (in collaboration with Danware) have provided a 
NASL signature for Nessus [2] that will provide the appropriate positive 
verification.  


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CAN-2004-0950 to this issue. This is a candidate for inclusion in 
the CVE list (http://cve.mitre.org), which standardises names for 
security problems.


-- References --

[1] http://www.danware.com
[2] http://www.nessus.org


-- Revision --

a. Initial release.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2004 Corsaire Limited. All rights reserved. 



    

- 漏洞信息

11993
Danware NetOp Host HELO Request Remote Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-11-19 2004-06-19
2004-11-19 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Danware NetOp Remote Control Information Disclosure Vulnerability
Design Error 11710
Yes No
2004-11-19 12:00:00 2009-07-12 08:06:00
Martin O'Neal <martin.oneal@corsaire.com> of Corsaire Security disclosed this vulnerability.

- 受影响的程序版本

Danware Data NetOp 7.60 build 2003246
Danware Data NetOp 7.50 build 2003048
Danware Data NetOp 7.0 1 build 2002291
Danware Data NetOp 6.50
- Microsoft Windows 3.11
- Microsoft Windows 3.11
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Danware Data NetOp 6.0
- Microsoft Windows 3.11
- Microsoft Windows 3.11
- Microsoft Windows 3.1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0
Danware Data NetOp 7.65 build 2004317
Danware Data NetOp 7.65 build 2004278

- 不受影响的程序版本

Danware Data NetOp 7.65 build 2004317
Danware Data NetOp 7.65 build 2004278

- 漏洞讨论

It is reported that NetOp Remote Control is susceptible to an information disclosure vulnerability.

This vulnerability reportedly allows remote attackers to discern the name of the user that is logged in and the internal IP address and hostname of the targeted computer. This information may aid malicious users in further attacks.

Versions prior to 7.65 build 2004278 are reported vulnerable to this issue.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released version 7.65 build 2004278 to address this issue. Users still have to configure the software to disable the 'Public Host Name' option to stop the application from disclosing potentially sensitive information.

Please see the referenced 'Modification Notes - Amelioration History' for further information.


Danware Data NetOp 6.0

Danware Data NetOp 6.50

Danware Data NetOp 7.0 1 build 2002291

Danware Data NetOp 7.50 build 2003048

Danware Data NetOp 7.60 build 2003246

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站