From: stfunub at gmail.com (Andrew Smith)
Subject: Research Machines(RM) Networks / Setup

Research Machines (RM) are "The Leading Supplier of Software, Services
and Systems to UK Education". Mainly seen in High Schools in the UK.
The following was revealed too them well over 6 months ago. I received
no reply from my email.

a) Publicly Availiable Admin Tools
b) Publicily Writable Status Manager
c) .EXE Executions

a) The administration tools used to "monitor students while they work"
and that can also be used to control student's computers, modify
student's files and even change passwords is installed on every single
computer and can be executed by every single user. I've found this to
be true of around 200 computers (located in different rooms, installed
at different times) at my school. The program can be found in its
default location here:

C:\Program Files\Research Machines\RM Tutor 2\Controller\TeacherLaunch.exe

b) The 'RM Status Manager' is a script that allows you to view your
remaining "printer credits", remaining quota space, etc. This file is
simply a html/vbscript file located on every computer's hdd. It can be
accessed AND edited at its default location:

C:\RMExplorerURL\Status.htm

Obviously this has many security implications, especially if an
outdated version of Internet Explorer (which is used to view this
file) is installed.

c) Execution of .exe located from the user's "home directory" (N:) is
restricted by default. This can be defeated by using Windows XP's
zipping feature and adding the .exe file to a .zip file and THEN
opening the .zip file and running the .exe 'from' the .zip file. This
will cause windows the extract the .exe file to a default temporary
directory, the default temporary directory is on C: ! Which means we
have rights execute it.

Powered by blists - more mailing lists