[NT] NetMeeting 3.01 Local RDS Session Hijacking

From: support@securiteam.com
Date: 09/18/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 18 Sep 2002 14:21:21 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  NetMeeting 3.01 Local RDS Session Hijacking
------------------------------------------------------------------------

SUMMARY

A vulnerability in the RDS module used by NetMeeting allows an individual
with physical access to the RDS host system, such as in an office-cubicle
environment, to hijack an active session to gain local or network
administration privileges from a remote user.

DETAILS

Vulnerable systems:
 * Microsoft NetMeeting 3.01 through latest SPK2 under (Windows NT 4.0
Spk6, Windows 2000 Spk3, Windows XP Professional)

Impact:
The NetMeeting 3.01 Remote Desktop Sharing (RDS) Screen Saver Protection
option is designed to prevent a local user from taking control of the host
workstation without proper authentication. The remote session can be
hijacked at the host giving the hijacker the authenticated local and
network privileges of the remote user.

Recreation:
When a Windows NT, 2000, or XP system is being controlled remotely by the
NetMeeting RDS service a local user can execute the following:

(1) Hijacker monitors the RDS session at the local RDS host screen until
the remote user makes a
change to a document or setting (i.e., opening Notepad and typing text).

(2) Hijacker uses the following sequence (keys vary slightly between OS):
CTRL-ALT-DEL, 'shut down', 'Okay', ESC. (Effectively starting a logoff of
the session and grabbing control from the authorized remote user.)

(3) Hijacker has local keyboard control and the "Do you want to save the
changes?" box is displayed.

(4) Hijacker uses the 'Cancel' button to abort the logoff.

(5) Screensaver may briefly appear or the desktop background only may
appear. Pressing CTRL-ALT-DEL followed by the ESC key at this point gives
the hijacker full control of the system with the remote user's
credentials. (The remote user still may view the session until
disconnected or the program is exited, however, cannot take control of the
session back from the hijacker.)

Vendor status:
This vulnerability was first reported to Microsoft in October of 2001 and
a fix was said to be coming in the next service pack. In a follow-up in
March of 2002, Microsoft's Security Response Center indicated that the fix
was "definitely going to ship as part of Windows 2000 Service Pack 3".
Post-Spk3 testing indicates the RDS session can still be hijacked as
described with Windows 2000 Spk3 and since the SPK for 2000 would not be a
fix for NT or XP Paul is releasing this issue.

ADDITIONAL INFORMATION

The information has been provided by <mailto:proberts@teleport.com> Paul
A Roberts.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast