Re: NetMeeting 3.01 Local RDS Session Hijacking

[<proberts () teleport com>]

In-Reply-To: <PGEPILBOHHKBMPFBEKCIOEFGCLAA.proberts () teleport com>

To clarify the initial post and different key sequences:

When the NetMeeting password protected screensaver is bypassed and control 
of the local system is taken, the local session hijacker gains the rights 
of the local logged in user.  In most cases this is administrator as 
administrator rights are required to connect to a remote desktop session 
and a remote user often uses the same account locally.  Additionally, any 
extra rights or remote administration connections currently associated 
with the local session such as NetWare connections or other client 
connections to applications such as IDS management systems would be 
transferred to the local console hijacker.  The initial post stated that 
rights of the 'remote user' would be gained and that may have been an 
unclear statement.

Note that in some cases the last couple steps might seem unecessary as 
control appears to be transferred to the local console.  The steps are 
usually required to prevent an error appearing when launching a program 
indicating that the system is shutting down or to prevent the password 
protected screensaver from invoking itself.  Also, too long a delay in the 
steps may allow the screensaver to lock the session.

Keys by OS:
(These steps will assume that an application has altered or new data such 
as text added to an unsaved notepad window for simplicity.)

Windows XP Professional
(1) CTRL-ALT-DEL
(2) Shutdown
(3) OK
(4) ESC
(5) Wait for the "End Program" dialog box to appear
(6) Select Cancel
(7) Cancel the save of changed data

Windows 2000 Professional Spk3
(1) CTRL-ALT-DEL
(2) Log Off
(3) Yes
(4) ESC
(5) Wait for the "End Program" dialog box to appear
(6) Select Cancel
(7) Cancel the save of changed data
(8) CTRL-ALT-DEL
(9) ESC

Windows NT 4.0 Spk6a
(1) CTRL-ALT-DEL
(2) Logout
(3) OK
(4) ESC
(6) Select Cancel
(7) Cancel the save of changed data
(8) CTRL-ALT-DEL
(9) ESC