Re: I think

[bgreenbaum () SECURITYFOCUS COM (Ben Greenbaum)]

Verified with trialware NetOp 6.0 on NT4WS, SP6. Full unauthenticated
read, write and create access to any file/directory, including sam._,
startup folders, etc for anyone with the client and access to netbios
sessions on the target host.

Emailed the vendor on May 26, no response as of yet.

Ben Greenbaum
Director of Site Content
Security Focus
http://www.securityfocus.com

---Jay Mobley wrote:---
So, Im fairly green with all this security hub-bub, so admitedly I feel
pretty outta my league, but here is the low down.  I use a product called
NetOps. Its a remote control client/server package ... or in thier terms,
host and guest.
Among its features is one that allows a guest to xfer files back and forth
from the host. In my case the host is run on our NT 4.0 server. a user
typically connects, sends the ctr-alt-del and logs in as if the user were
sitting at the console. Mouse and keyboard output is sent to the remote
controlled station.
The security flaw I think I have found has to do with simply connecting to
the host and beginning a file transfer. NO AUTHENTICATION IS REQUIRED to
either copy files to or from a host running this NetOps software!
Is this a valid secuity flaw??

-Jay Mobley

------