[22606] in bugtraq
NetOP School Admin Vulnerability for Windows 2000 Terminal Services and NT4
daemon@ATHENA.MIT.EDU (Jesse Smythe)
Tue Sep 11 14:01:47 2001
Date: 11 Sep 2001 02:11:05 -0000
Message-ID: <20010911021105.15605.qmail@securityfocus.com>
From: Jesse Smythe <trick0rdaddy@hotmail.com>
To: bugtraq@securityfocus.com
NetOp School, a program for screen broadcast and
remote
control of Windows 3.1x, Windows 9x, Windows NT
and Windows 2000 PCs
(including support for Windows 2000 Terminal
Services and NT4
Terminal Server Edition) across NetBIOS, IPX and
TCP/IP.
The problem arises in the way that netOP handles no
authorised users. When netop school is installed on
a local area network, Full control of the network and
all work stations can be taken.
The method is as follows...
By default when a user logs into a workstation the
student version of netop is run. If a user (student)
attempts to execute the admin version of NetOP then
the required password dialog will appear and the user
will need to know that password if they wish to run
the program. The flaw is in the way the program
reacts when the student version isnt running. For
example a student can use any type of task manager
to kill the student version and when he or she goes to
open the admin version all security checks and
password dialogs are bypassed.
This gives the student or non-authorised user full
access to any workstation loged in to the network. It
also allows users to "spy" on anybody in the network.
This has huge implications for System Administrators
who need to protect data, and for students and
teachers that require privacy.
This hole has been tested on the Latest version,
NetOp School, version 1.5
Regards Jesse Smythe
