lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <33713abc04091413086995a797@mail.gmail.com>
From: stfunub at gmail.com (Andrew Smith)
Subject: Research Machines(RM) Networks / Setup

Research Machines (RM) are "The Leading Supplier of Software, Services
and Systems to UK Education". Mainly seen in High Schools in the UK.
The following was revealed too them well over 6 months ago. I received
no reply from my email.

a) Publicly Availiable Admin Tools
b) Publicily Writable Status Manager
c) .EXE Executions

a) The administration tools used to "monitor students while they work"
and that can also be used to control student's computers, modify
student's files and even change passwords is installed on every single
computer and can be executed by every single user. I've found this to
be true of around 200 computers (located in different rooms, installed
at different times) at my school. The program can be found in its
default location here:

C:\Program Files\Research Machines\RM Tutor 2\Controller\TeacherLaunch.exe

b) The 'RM Status Manager' is a script that allows you to view your
remaining "printer credits", remaining quota space, etc. This file is
simply a html/vbscript file located on every computer's hdd. It can be
accessed AND edited at its default location:

C:\RMExplorerURL\Status.htm

Obviously this has many security implications, especially if an
outdated version of Internet Explorer (which is used to view this
file) is installed.

c) Execution of .exe located from the user's "home directory" (N:) is
restricted by default. This can be defeated by using Windows XP's
zipping feature and adding the .exe file to a .zip file and THEN
opening the .zip file and running the .exe 'from' the .zip file. This
will cause windows the extract the .exe file to a default temporary
directory, the default temporary directory is on C: ! Which means we
have rights execute it.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ