_____________________________________________________________________ b u f f e r 0 v e r f l 0 w s e c u r i t y a d v i s o r y # 2 Advisory Name: NetOp, Bypass of NT Security to retrieve files Date: 12/4/00 Application: NetOp Remote Control Vendor: Danware WWW: www.netop.dk Severity: Any user can browse and even download files from the remote computer Author: axess ( axess@mail.com ) Homepage: www.b0f.com * Overview NetOp is a remote administrator control tool that allows you to capture the screen and it will act as if you were infront of it. Its a client / host based software. * The Problem By default there is no account set up for verify that you are authorised to use the host software running on the server and anyone that has an client for it can access the screen. Default port 6502 is used. I have done a lot of testing of this and found out that most of the people running it dont use the accounts that can be set up to verify with an account and password that u are allowed to use the host. They rely on the NT security with locking the screen that should be enough. So if we log on we get a normal screen that says login with administrator account. Not easy to bypass, but then there is a function that you can use called file transfer. I use that method and a screen that looks like explorer will appear and you can download sam._ or what ever file you want and start cracking it while just bypassing all the NT security. * Vulnerable Versions Version 6 is the only one tested but i beleive all versions prior to that is vulnerable. * Fix 6.5 has just been released and uses the NT security that will fix this problem. copyright © 1999-2000 axess , buffer0verfl0w security www.b0f.com