NetMeeting 3.01 Local RDS Session Hijacking

["Paul A Roberts" <proberts () teleport com>]

In comparing findings with the "Microsoft NetMeeting 3.0 Security Assessment
and Configuration Guide"
available through the National Security Agency web site (www.nsa.gov in the
Security Recommendation Guides
section), I noticed a discrepancy in findings. The guide indicated the
Screen Saver Protection feature
did not work as advertised allowing someone to view the remote user's
activity but not use the host system.
It is possible to hijack the local session given physical access. I
appreciate the NSA's timely addition
to the guide to include the 'unconfirmed' RDS Hijacking warning and
stressing the point that physical
security for the host computer is paramount.

CONTACT INFORMATION
============================================================================
===
Let us know who you are:

Name: Paul A Roberts
E-mail: proberts () teleport com
paul.a.roberts () state or us
Phone: (503)581-1881 / (503)945-6443

Affiliation and address: Oregon Department of Human Services
Network & Desktop Services
5th Floor
500 Summer St. NE
Salem, OR 97301

Have you reported this to the vendor? YES

If so, please let us know whom you've contacted:

Date of your report : 10/03/01
Vendor contact name : Scott
Vendor contact phone :
Vendor contact e-mail : secure () microsoft com
Vendor reference number : [msrc 899sc]

If not, we encourage you to do so--vendors need to hear about
vulnerabilities from you as a customer.

POLICY INFO
============================================================================
===
We encourage communication between vendors and their customers. When
we forward a report to the vendor, we include the reporter's name and
contact information unless you let us know otherwise.
If you want this report to remain anonymous, please check here:
___ Do not release my identity to your vendor contact.

TECHNICAL INFO
============================================================================
===
If there is a CERT Vulnerability tracking number please put it
here (otherwise leave blank): VU#______.
Please describe the vulnerability.
---------------------------------
What is the impact of this vulnerability?
----------------------------------------
a) What is the specific impact:

The NetMeeting 3.01 Remote Desktop Sharing (RDS) Screen Saver Protection
option is designed
to prevent a local user from taking control of the host workstation without
proper authentication.
The remote session can be hijacked at the host giving the hijacker the
authenticated local and
network privileges of the remote user.

b) How would you envision it being used in an attack scenario:

An individual with physical access to the RDS host system, such as in an
office-cubicle
environment, could hijack an active session to gain local or network
administration privileges
from a remote user.

To your knowledge is the vulnerability currently being exploited?
----------------------------------------------------------------
NO

If there is an exploitation script available, please include it here.
--------------------------------------------------------------------

Sample Exploit:

When a Windows NT, 2000, or XP system is being controlled remotely by the
NetMeeting RDS service
a local user can execute the following:

(1) Hijacker monitors the RDS session at the local RDS host screen until the
remote user makes a
change to a document or setting (i.e., opening Notepad and typing text).

(2) Hijacker uses the following sequence (keys vary slightly between OS):
CTRL-ALT-DEL, 'shut down',
'Okay', ESC. (Effectively starting a logoff of the session and grabbing
control from the authorized
remote user.)

(3) Hijacker has local keyboard control and the "Do you want to save the
changes?" box is displayed.

(4) Hijacker uses the 'Cancel' button to abort the logoff.

(5) Screensaver may briefly appear or the desktop background only may
appear. Pressing CTRL-ALT-DEL
followed by the ESC key at this point gives the hijacker full control of the
system with the remote
user's credentials. (The remote user still may view the session until
disconnected or the program is
exited, however, cannot take control of the session back from the hijacker.)

Do you know what systems and/or configurations are vulnerable?
-------------------------------------------------------------
YES (If yes, please list them below)

System: Microsoft NetMeeting 3.01 through latest Spk2 (4.4.3396)
OS version: Windows NT 4.0 Spk6, Windows 2000 Spk3, Windows XP Professional
Verified/Guessed: Verified

Are you aware of any workarounds and/or fixes for this vulnerability?
--------------------------------------------------------------------
NO (If you have a workaround or are aware of patches
please include the information here.)

OTHER INFORMATION
===========================================================================
Is there anything else you would like to tell us?

This vulnerability was first reported to Microsoft in October of 2001 and a
fix was said
to be coming in the next service pack. In a follow-up in March of 2002,
Microsoft's Security
Response Center indicated that the fix was "definitely going to ship as part
of Windows 2000
Service Pack 3". Post-Spk3 testing indicates the RDS session can still be
hijacked as described
with Windows 2000 Spk3 and since the Spk for 2000 would not be a fix for NT
or XP I'm releasing
this issue.