Re: NetMeeting 3.01 Local RDS Session Hijacking

From: probertsat_private
Date: Thu Sep 19 2002 - 21:47:19 PDT

Next message: Peter Peters: "Re: The Trivial Cisco IP Phones Compromise"

Previous message: Sharla Warren: "ShadowCon 2002"
Maybe in reply to: Paul A Roberts: "NetMeeting 3.01 Local RDS Session Hijacking"
Next in thread: Adcock, Matt: "RE: NetMeeting 3.01 Local RDS Session Hijacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <PGEPILBOHHKBMPFBEKCIOEFGCLAA.probertsat_private> To clarify the initial post and different key sequences: When the NetMeeting password protected screensaver is bypassed and control of the local system is taken, the local session hijacker gains the rights of the local logged in user. In most cases this is administrator as administrator rights are required to connect to a remote desktop session and a remote user often uses the same account locally. Additionally, any extra rights or remote administration connections currently associated with the local session such as NetWare connections or other client connections to applications such as IDS management systems would be transferred to the local console hijacker. The initial post stated that rights of the 'remote user' would be gained and that may have been an unclear statement. Note that in some cases the last couple steps might seem unecessary as control appears to be transferred to the local console. The steps are usually required to prevent an error appearing when launching a program indicating that the system is shutting down or to prevent the password protected screensaver from invoking itself. Also, too long a delay in the steps may allow the screensaver to lock the session. Keys by OS: (These steps will assume that an application has altered or new data such as text added to an unsaved notepad window for simplicity.) Windows XP Professional (1) CTRL-ALT-DEL (2) Shutdown (3) OK (4) ESC (5) Wait for the "End Program" dialog box to appear (6) Select Cancel (7) Cancel the save of changed data Windows 2000 Professional Spk3 (1) CTRL-ALT-DEL (2) Log Off (3) Yes (4) ESC (5) Wait for the "End Program" dialog box to appear (6) Select Cancel (7) Cancel the save of changed data (8) CTRL-ALT-DEL (9) ESC Windows NT 4.0 Spk6a (1) CTRL-ALT-DEL (2) Logout (3) OK (4) ESC (6) Select Cancel (7) Cancel the save of changed data (8) CTRL-ALT-DEL (9) ESC

Next message: Peter Peters: "Re: The Trivial Cisco IP Phones Compromise"
Previous message: Sharla Warren: "ShadowCon 2002"
Maybe in reply to: Paul A Roberts: "NetMeeting 3.01 Local RDS Session Hijacking"
Next in thread: Adcock, Matt: "RE: NetMeeting 3.01 Local RDS Session Hijacking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 20 2002 - 11:22:12 PDT