The McAfee Labs Advanced Threat Research team recently investigated software installed on computers used in K-12 school districts.
Netop Vision Pro produced by Netop, the company behind a popular software tool designed to let teachers remotely access student computers, has fixed four security bugs in its platform.
These findings allow for the elevation of privileges and ultimately remote code execution, which could be used by a malicious attacker, within the same network, to gain full control over students’ computers.
The research team has discovered four vulnerabilities, tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195, that could be exploited by attackers for multiple malicious purposes, including taking over students’ computers.
To test the software, experts set up the Netop software in a normal configuration and environment on four virtual machines on a local network. The test environment was composed of three systems configured as students and only one as a teacher.
Researchers first observed (CVE-2021-27194), that all network traffic was unencrypted with no option to turn encryption on during configuration. Even information normally considered sensitive, such as Windows credentials and screenshots, were all sent in plaintext.
It is observed that by default where student connecting to a classroom immediately began to send screen captures to the classroom’s teacher. This allows the teacher to monitor all the students in real-time. Since there is no encryption, these images were sent in the clear. Anyone on the local network could eavesdrop on these images and view the contents of the students’ screens remotely.
The ability for an attacker to emulate a teacher and execute arbitrary commands on the students’ machines brings us to our second (CVE-2021-27195) was filed for “CWE-863: Incorrect Authorization”.
When the teacher sends a command to the student, the client would drop privileges to that of the logged-in student and not keep the original System privileges. This meant that if an attacker wanted unrestricted access to the remote system, they could not simply replay normal traffic, but instead would have to modify each field in the traffic and observe the results.
The third issue (CVE-2021-27192) referencing “CWE-269: Incorrect Privilege Assignment”. A “Technical Support” button was found in the Netop “about” menu.
When the user clicks on the support button, it opens IE directly into a support web form. The issue, however, privileges are never dropped, resulting in the IE process being run as a System because the Netop student client is also run as System.
An attacker can write, read, and delete files within this “work directory” from a remote attack vector on the same local network. This ability to read and write files accounted for (CVE-2021-27193) referencing “CWE-276: Incorrect Default Permissions,” with the overall highest CVSS score of 9.5.
Reversing the MChat network traffic and analyzing the Chat features experts discovered that it was possible to overwrite a file and execute it with System privileges.
The research team reported this research to Netop on December 11, 2020, and Netop was able to deliver an updated version in Netop Vision Pro version 9.7.2 in February of 2021, effectively patching many of the critical vulnerabilities.