Bugtraq mailing list archives
Re: I think
From: bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)
Date: Mon, 29 May 2000 12:56:48 -0700
Verified with trialware NetOp 6.0 on NT4WS, SP6. Full unauthenticated read, write and create access to any file/directory, including sam._, startup folders, etc for anyone with the client and access to netbios sessions on the target host. Emailed the vendor on May 26, no response as of yet. Ben Greenbaum Director of Site Content Security Focus http://www.securityfocus.com ---Jay Mobley wrote:--- So, Im fairly green with all this security hub-bub, so admitedly I feel pretty outta my league, but here is the low down. I use a product called NetOps. Its a remote control client/server package ... or in thier terms, host and guest. Among its features is one that allows a guest to xfer files back and forth from the host. In my case the host is run on our NT 4.0 server. a user typically connects, sends the ctr-alt-del and logs in as if the user were sitting at the console. Mouse and keyboard output is sent to the remote controlled station. The security flaw I think I have found has to do with simply connecting to the host and beginning a file transfer. NO AUTHENTICATION IS REQUIRED to either copy files to or from a host running this NetOps software! Is this a valid secuity flaw?? -Jay Mobley ------
Current thread:
- Re: i think axess . (May 29)
- <Possible follow-ups>
- Re: I think Ben Greenbaum (May 29)
- Re: i think Ben Greenbaum (May 29)