Run code on NAV 2017 server using add-in and RTC

bugch3ckbugch3ck Posts: 1Member
Hi

I work as a security consultant and is currently trying to understand the attack surface available through the NAV server RTC client service (tcp port 7046). As I understand it the Control Add-ins can be added through RTC given sufficient permissions. What I have not been able to determine is if this is possible as admin with only access to RTC. All the add-in examples I have found includes creating a page that reference the Control Add-in, which I guess is not possible through the RTC I have access to. Note that I cannot create pages and I cannot access the server except though RTC.

So, can an add-in be used to trigger arbitrary code on the server with only acces to RTC as full admin? The server runs NAV 2017.

Best regards,
Jonas Vestberg
Sign In or Register to comment.