Re: NetMeeting 3.01 Local RDS Session Hijacking

From: proberts@teleport.com
Date: 09/20/02


Date: 20 Sep 2002 04:47:19 -0000
From: <proberts@teleport.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is) In-Reply-To: <PGEPILBOHHKBMPFBEKCIOEFGCLAA.proberts@teleport.com>

To clarify the initial post and different key sequences:

When the NetMeeting password protected screensaver is bypassed and control
of the local system is taken, the local session hijacker gains the rights
of the local logged in user. In most cases this is administrator as
administrator rights are required to connect to a remote desktop session
and a remote user often uses the same account locally. Additionally, any
extra rights or remote administration connections currently associated
with the local session such as NetWare connections or other client
connections to applications such as IDS management systems would be
transferred to the local console hijacker. The initial post stated that
rights of the 'remote user' would be gained and that may have been an
unclear statement.

Note that in some cases the last couple steps might seem unecessary as
control appears to be transferred to the local console. The steps are
usually required to prevent an error appearing when launching a program
indicating that the system is shutting down or to prevent the password
protected screensaver from invoking itself. Also, too long a delay in the
steps may allow the screensaver to lock the session.

Keys by OS:
(These steps will assume that an application has altered or new data such
as text added to an unsaved notepad window for simplicity.)

Windows XP Professional
(1) CTRL-ALT-DEL
(2) Shutdown
(3) OK
(4) ESC
(5) Wait for the "End Program" dialog box to appear
(6) Select Cancel
(7) Cancel the save of changed data

Windows 2000 Professional Spk3
(1) CTRL-ALT-DEL
(2) Log Off
(3) Yes
(4) ESC
(5) Wait for the "End Program" dialog box to appear
(6) Select Cancel
(7) Cancel the save of changed data
(8) CTRL-ALT-DEL
(9) ESC

Windows NT 4.0 Spk6a
(1) CTRL-ALT-DEL
(2) Logout
(3) OK
(4) ESC
(6) Select Cancel
(7) Cancel the save of changed data
(8) CTRL-ALT-DEL
(9) ESC



Relevant Pages

  • Re: Zu Textfeld springen / ESC
    ... ersten Wertes überprüfe ich mit einer Ereignisporzedur nach Aktualisierung auf Richtigkeit. ... Cancel = True ... rein und schon ist der Schliessen Button der Standard ESC Button. ...
    (microsoft.public.de.access)
  • THANK you! -> Re: Cancelling a Text Box Edit
    ... >>What is the best way to cancel an edit operation on data in a text box? ... >>programmatic equivalent to the ESC key that will prevent the new data from ... A control's UnDo method is the same ... > same as a user hitting Esc twice. ...
    (microsoft.public.access.formscoding)
  • Re: Link to dbf file requires selecting an index
    ... Hitting Cancel or Esc will cause MS Access to completely exit and no link is ... Not sure what has happened with respect to not being able to link to dbf ... > You might have just hit Cancel or Esc. ...
    (microsoft.public.access.gettingstarted)
  • Re: Shortcut Key!
    ... Well, for certain, make sure none of your buttons have the property "Cancel" ... otherwise pressing the ESC key will activate the button with the ... canceled property that is set to true. ... > 'Esc' key is pressed. ...
    (microsoft.public.vb.general.discussion)
  • Re: Shortcut Key!
    ... > the 'Esc' key would cancel his action. ... If it like a calculator, then you should have a command button somewhere ...
    (microsoft.public.vb.general.discussion)