SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   NetMeeting Vendors:   Microsoft
Microsoft NetMeeting Remote Desktop Sharing Screen Saver Access Control Flaw Lets Physically Local Users Hijack Remote Sessions
SecurityTracker Alert ID:  1005243
SecurityTracker URL:  http://securitytracker.com/id/1005243
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 18 2002
Impact:   User access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.01
Description:   An access control vulnerability was reported in Microsoft NetMeeting. A physically local user can hijack a Remote Desktop Sharing (RDS) session.

It is reported that the NetMeeting Remote Desktop Sharing (RDS) Screen Saver Protection feature fails to properly restrict access of physically local users. A physically local user can apparently hijack a remote session to obtain the privileges of the remote user.

A demonstration exploit scenario for a system being controlled remotely by the NetMeeting RDS service is provided:

(1) Hijacker monitors the RDS session at the local RDS host screen until the remote user makes a change to a document or setting (i.e., opening Notepad and typing text).

(2) Hijacker uses the following sequence (keys vary slightly between OS): CTRL-ALT-DEL, 'shut down', 'Okay', ESC. (Effectively starting a logoff of the session and grabbing control from the authorized remote user.)

(3) Hijacker has local keyboard control and the "Do you want to save the changes?" box is displayed.

(4) Hijacker uses the 'Cancel' button to abort the logoff.

(5) Screensaver may briefly appear or the desktop background only may appear. Pressing CTRL-ALT-DEL followed by the ESC key at this point gives the hijacker full control of the system with the remote user's credentials. (The remote user still may view the session until disconnected or the program is exited, however, cannot take control of the session back from the hijacker.)

The vendor is reportedly aware of the bug.

Impact:   A physically local user on a system that is engaged in a NetMeeting RDS session can hijack the session and gain access to the system with the privileges of the hijacked remote user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  NetMeeting 3.01 Local RDS Session Hijacking


In comparing findings with the "Microsoft NetMeeting 3.0 Security Assessment
and Configuration Guide"
available through the National Security Agency web site (www.nsa.gov in the
Security Recommendation Guides
section), I noticed a discrepancy in findings. The guide indicated the
Screen Saver Protection feature
did not work as advertised allowing someone to view the remote user's
activity but not use the host system.
It is possible to hijack the local session given physical access. I
appreciate the NSA's timely addition
to the guide to include the 'unconfirmed' RDS Hijacking warning and
stressing the point that physical
security for the host computer is paramount.

CONTACT INFORMATION
============================================================================
===
Let us know who you are:

Name: Paul A Roberts
E-mail: proberts@teleport.com
paul.a.roberts@state.or.us
Phone: (503)581-1881 / (503)945-6443

Affiliation and address: Oregon Department of Human Services
Network & Desktop Services
5th Floor
500 Summer St. NE
Salem, OR 97301

Have you reported this to the vendor? YES

If so, please let us know whom you've contacted:

Date of your report : 10/03/01
Vendor contact name : Scott
Vendor contact phone :
Vendor contact e-mail : secure@microsoft.com
Vendor reference number : [msrc 899sc]

If not, we encourage you to do so--vendors need to hear about
vulnerabilities from you as a customer.

POLICY INFO
============================================================================
===
We encourage communication between vendors and their customers. When
we forward a report to the vendor, we include the reporter's name and
contact information unless you let us know otherwise.
If you want this report to remain anonymous, please check here:
___ Do not release my identity to your vendor contact.

TECHNICAL INFO
============================================================================
===
If there is a CERT Vulnerability tracking number please put it
here (otherwise leave blank): VU#______.
Please describe the vulnerability.
---------------------------------
What is the impact of this vulnerability?
----------------------------------------
a) What is the specific impact:

The NetMeeting 3.01 Remote Desktop Sharing (RDS) Screen Saver Protection
option is designed
to prevent a local user from taking control of the host workstation without
proper authentication.
The remote session can be hijacked at the host giving the hijacker the
authenticated local and
network privileges of the remote user.

b) How would you envision it being used in an attack scenario:

An individual with physical access to the RDS host system, such as in an
office-cubicle
environment, could hijack an active session to gain local or network
administration privileges
from a remote user.

To your knowledge is the vulnerability currently being exploited?
----------------------------------------------------------------
NO

If there is an exploitation script available, please include it here.
--------------------------------------------------------------------

Sample Exploit:

When a Windows NT, 2000, or XP system is being controlled remotely by the
NetMeeting RDS service
a local user can execute the following:

(1) Hijacker monitors the RDS session at the local RDS host screen until the
remote user makes a
change to a document or setting (i.e., opening Notepad and typing text).

(2) Hijacker uses the following sequence (keys vary slightly between OS):
CTRL-ALT-DEL, 'shut down',
'Okay', ESC. (Effectively starting a logoff of the session and grabbing
control from the authorized
remote user.)

(3) Hijacker has local keyboard control and the "Do you want to save the
changes?" box is displayed.

(4) Hijacker uses the 'Cancel' button to abort the logoff.

(5) Screensaver may briefly appear or the desktop background only may
appear. Pressing CTRL-ALT-DEL
followed by the ESC key at this point gives the hijacker full control of the
system with the remote
user's credentials. (The remote user still may view the session until
disconnected or the program is
exited, however, cannot take control of the session back from the hijacker.)

Do you know what systems and/or configurations are vulnerable?
-------------------------------------------------------------
YES (If yes, please list them below)

System: Microsoft NetMeeting 3.01 through latest Spk2 (4.4.3396)
OS version: Windows NT 4.0 Spk6, Windows 2000 Spk3, Windows XP Professional
Verified/Guessed: Verified

Are you aware of any workarounds and/or fixes for this vulnerability?
--------------------------------------------------------------------
NO (If you have a workaround or are aware of patches
please include the information here.)

OTHER INFORMATION
===========================================================================
Is there anything else you would like to tell us?

This vulnerability was first reported to Microsoft in October of 2001 and a
fix was said
to be coming in the next service pack. In a follow-up in March of 2002,
Microsoft's Security
Response Center indicated that the fix was "definitely going to ship as part
of Windows 2000
Service Pack 3". Post-Spk3 testing indicates the RDS session can still be
hijacked as described
with Windows 2000 Spk3 and since the Spk for 2000 would not be a fix for NT
or XP I'm releasing
this issue.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC