Netop, the company behind a popular software tool designed to let teachers remotely access student computers, has fixed four security bugs in its platform.
Researchers said that the critical vulnerabilities in the company’s Netop Vision Pro system could allow attackers to hijack school networks, deliver malware, determine IP addresses of students, eavesdrop and more.
The flaws were disclosed to Netop on Dec. 11. By late February, the company had issued an update addressing several of the concerns (in Netop Vision Pro version 9.7.2), said researchers.
“In Netop Vision Pro 9.7.2, released in late February, Netop has fixed the local privilege escalations, encrypted formerly plaintext Windows credentials, and mitigated the arbitrary read/writes on the remote filesystem within the MChat client,” according to a Sunday report by the McAfee Labs Advanced Threat Research team, which discovered the flaws.
Unencrypted Netop Network Traffic
The first issue discovered (“CWE-319: Cleartext Transmission of Sensitive Information”) was unencrypted network traffic, said researchers. They added that part of the service included a constant stream of screenshots of the student computer to the teacher – opening up potential privacy issues.
“Since there is no encryption, these images were sent in the clear,” the report said. “Anyone on the local network could eavesdrop on these images and view the contents of the students’ screens remotely. A new screenshot was sent every few seconds, providing the teacher and any eavesdroppers a near-real time stream of each student’s computer.”
Researchers were able to grab the screen captures by setting the card to promiscuous mode and using a network monitoring tool for image files like Driftnet. The one caveat with this attack is that any threat actor who wanted to monitor these conversations would need access to the same local network, they said.
Reverse Engineering the Netop Network
Another bug (“CWE-863: Incorrect Authorization”) stemmed from the ability for an attacker to emulate a teacher’s workstation. Researchers reverse engineered teacher User Datagram Protocol (UDP) messages, which ping the network to alert it to where the teacher is on the network. They said they used a “fuzzer” automated tester to input random sequences of data into the system and watch what happened next.
“After a few days of fuzzing with UDP packets, we were able to identify two things,” the report said. “First, we observed a lack of length checks on strings and second, random values sent by the fuzzer were being written directly to the Windows registry.” The report also found the application never crashed or allowed them to overwrite any important data.
Researchers also found, after the first UDP message was sent, any messages sent after that were Transmission Control Protocol (TCP), which allowed the teacher to keep the socket open for the rest of class.
Further evaluation revealed three the authentication codes, which the researchers called “tokens,” controlled access between student and teacher. Teachers and students were each issued a static, unique code. A third authentication “token” was also required, which their analysis revealed matched the “range of memory being allocated to the heap” digit within the code, making it predictable and exploitable by attackers.
From there, researchers had what they needed to create their own teacher workstation, meaning an “attacker could emulate a teacher and execute arbitrary commands,” the report explained. Attackers armed with teacher access would be able to launch applications on the student machines and more, said researchers.
Privileges & Permissions Bugs
The researchers also found privileges weren’t being dropped – meaning they were determined when the software was installed, but weren’t checked by a “ShellExecute” path after that.
“We found four cases where the privileges were not reduced, however none of them were accessible over the network,” the researchers said. “Regardless, they still could potentially be useful, so we investigated each.” This bug was referenced as “CWE-269: Incorrect Privilege Assignment.”
The first was when users opened Internet Explorer with a prefilled URL and the remaining three related to plugins that bypassed file filters within “Save As,” “Screen Shot Viewer,” and the About page’s “System Information” windows.
“We used an old technique which uses the ‘Save as’ button to navigate to the folder where cmd.exe is located and execute it,” the researchers explained. “The resulting CMD process inherits the System privileges of the parent process, giving the user a System-level shell.”
The team was able to use this attack to “screen blank students,” restart the Netop application, block internet access and more.
Hijacking the Chat Function
Finally, researchers were able to hijack the Chat function to send text or files to student computers, due to a bug (“CWE-276: Incorrect Default Permissions”) that scored 9.5 (out of 10) on the CVSS score, “the highest of the bunch,” according to the report.
“Delving deeper into the functionality of the chat application, we found that the teacher also has the ability to read files in the student’s ‘work directory’ and delete files within it,” the report said. “Due to our findings demonstrated with CVE-2021-27195, we can leverage our emulation code as an attacker to write, read, and delete files within this ‘work directory’ from a remote attack vector on the same local network.”
The application is always running and makes the assumption every device on the network could be a teacher and lets everyone else know where they are, making the system easy for threat actors to hijack for any number of purposes, the researchers explained.
“An attacker doesn’t have to compromise the school network; all they need is to find any network where this software is accessible, such as a library, coffee shop, or home network,” the report said. “It doesn’t matter where one of these student’s PCs gets compromised as a well-designed malware could lay dormant and scan each network the infected PC connects to, until it finds other vulnerable instances of Netop Vision Pro to further propagate the infection.”
Cyberattacks Rampant on Education Sector
As service providers across industries are faced with the reality that security needs to be one of the primary drivers behind their business, the need to have a system in place to respond and communicate with ethical security researchers and then make appropriate fixes is becoming exponentially more crucial. Specifically, education is being targeted for attack, according to a December statement released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), most notably by ransomware. The CISA, FBI report said reported incidents of ransomware attacks on K-12 schools made up 57 percent of all those reported between last August and September.
“Entire industries moved from physical to digital operations in 2020 and education was no exception,” Yaniv Bar-Dayan, CEO at Vulcan Cyber, told Threatpost. “School districts took a hard pivot on their approach to instructor-led learning as well as the security of teachers and students. With teachers using more software than ever, and software the most vulnerable it has ever been, IT security teams are playing a game of vulnerability whack-a-mole to deliver a secure online learning experience. This isn’t easy without the ability to prioritize, orchestrate, automate and measure remediation campaigns and outcomes.”
Just last month, the FBI sent a follow-up “Flash” alert to the security community that ransomware PYSA is pummeling the education sector, including higher education, K-12 education and seminaries.
The Netop Response
For its part, Netop has applied fixes to everything reported by McAfee, except the network encryption bit, which is in the works.
“The network traffic is still unencrypted, including the screenshots of the student computers but Netop has assured us it is working on implementing encryption on all network traffic for a future update,” researchers said.
That said, researchers praised Netop’s quick response time to the initial security report: “We’d like to recognize Netop’s outstanding response and rapid development and release of a more secure software version and encourage industry vendors to take note of this as a standard for responding to responsible disclosures from industry researchers,” they said.
Register for this LIVE Event: 0-Day Disclosures: Good, Bad & Ugly: On Mar. 24 at 2 p.m. ET, Threatpost tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what’s on the line for all businesses when it comes to the disclosure process. Register NOW for this LIVE webinar on Wed., Mar. 24.