Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 302 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Run code on NAV 2017 server using add-in and RTC
bugch3ck
Member Posts: 1
Hi
I work as a security consultant and is currently trying to understand the attack surface available through the NAV server RTC client service (tcp port 7046). As I understand it the Control Add-ins can be added through RTC given sufficient permissions. What I have not been able to determine is if this is possible as admin with only access to RTC. All the add-in examples I have found includes creating a page that reference the Control Add-in, which I guess is not possible through the RTC I have access to. Note that I cannot create pages and I cannot access the server except though RTC.
So, can an add-in be used to trigger arbitrary code on the server with only acces to RTC as full admin? The server runs NAV 2017.
Best regards,
Jonas Vestberg
I work as a security consultant and is currently trying to understand the attack surface available through the NAV server RTC client service (tcp port 7046). As I understand it the Control Add-ins can be added through RTC given sufficient permissions. What I have not been able to determine is if this is possible as admin with only access to RTC. All the add-in examples I have found includes creating a page that reference the Control Add-in, which I guess is not possible through the RTC I have access to. Note that I cannot create pages and I cannot access the server except though RTC.
So, can an add-in be used to trigger arbitrary code on the server with only acces to RTC as full admin? The server runs NAV 2017.
Best regards,
Jonas Vestberg
0