In comparing findings with the "Microsoft NetMeeting 3.0 Security Assessment and Configuration Guide" available through the National Security Agency web site (www.nsa.gov in the Security Recommendation Guides section), I noticed a discrepancy in findings. The guide indicated the Screen Saver Protection feature did not work as advertised allowing someone to view the remote user's activity but not use the host system. It is possible to hijack the local session given physical access. I appreciate the NSA's timely addition to the guide to include the 'unconfirmed' RDS Hijacking warning and stressing the point that physical security for the host computer is paramount. CONTACT INFORMATION ============================================================================ === Let us know who you are: Name: Paul A Roberts E-mail: proberts@teleport.com paul.a.roberts@state.or.us Phone: (503)581-1881 / (503)945-6443 Affiliation and address: Oregon Department of Human Services Network & Desktop Services 5th Floor 500 Summer St. NE Salem, OR 97301 Have you reported this to the vendor? YES If so, please let us know whom you've contacted: Date of your report : 10/03/01 Vendor contact name : Scott Vendor contact phone : Vendor contact e-mail : secure@microsoft.com Vendor reference number : [msrc 899sc] If not, we encourage you to do so--vendors need to hear about vulnerabilities from you as a customer. POLICY INFO ============================================================================ === We encourage communication between vendors and their customers. When we forward a report to the vendor, we include the reporter's name and contact information unless you let us know otherwise. If you want this report to remain anonymous, please check here: ___ Do not release my identity to your vendor contact. TECHNICAL INFO ============================================================================ === If there is a CERT Vulnerability tracking number please put it here (otherwise leave blank): VU#______. Please describe the vulnerability. --------------------------------- What is the impact of this vulnerability? ---------------------------------------- a) What is the specific impact: The NetMeeting 3.01 Remote Desktop Sharing (RDS) Screen Saver Protection option is designed to prevent a local user from taking control of the host workstation without proper authentication. The remote session can be hijacked at the host giving the hijacker the authenticated local and network privileges of the remote user. b) How would you envision it being used in an attack scenario: An individual with physical access to the RDS host system, such as in an office-cubicle environment, could hijack an active session to gain local or network administration privileges from a remote user. To your knowledge is the vulnerability currently being exploited? ---------------------------------------------------------------- NO If there is an exploitation script available, please include it here. -------------------------------------------------------------------- Sample Exploit: When a Windows NT, 2000, or XP system is being controlled remotely by the NetMeeting RDS service a local user can execute the following: (1) Hijacker monitors the RDS session at the local RDS host screen until the remote user makes a change to a document or setting (i.e., opening Notepad and typing text). (2) Hijacker uses the following sequence (keys vary slightly between OS): CTRL-ALT-DEL, 'shut down', 'Okay', ESC. (Effectively starting a logoff of the session and grabbing control from the authorized remote user.) (3) Hijacker has local keyboard control and the "Do you want to save the changes?" box is displayed. (4) Hijacker uses the 'Cancel' button to abort the logoff. (5) Screensaver may briefly appear or the desktop background only may appear. Pressing CTRL-ALT-DEL followed by the ESC key at this point gives the hijacker full control of the system with the remote user's credentials. (The remote user still may view the session until disconnected or the program is exited, however, cannot take control of the session back from the hijacker.) Do you know what systems and/or configurations are vulnerable? ------------------------------------------------------------- YES (If yes, please list them below) System: Microsoft NetMeeting 3.01 through latest Spk2 (4.4.3396) OS version: Windows NT 4.0 Spk6, Windows 2000 Spk3, Windows XP Professional Verified/Guessed: Verified Are you aware of any workarounds and/or fixes for this vulnerability? -------------------------------------------------------------------- NO (If you have a workaround or are aware of patches please include the information here.) OTHER INFORMATION =========================================================================== Is there anything else you would like to tell us? This vulnerability was first reported to Microsoft in October of 2001 and a fix was said to be coming in the next service pack. In a follow-up in March of 2002, Microsoft's Security Response Center indicated that the fix was "definitely going to ship as part of Windows 2000 Service Pack 3". Post-Spk3 testing indicates the RDS session can still be hijacked as described with Windows 2000 Spk3 and since the Spk for 2000 would not be a fix for NT or XP I'm releasing this issue.
