McAfee discovered multiple security vulnerabilities in the Netop Vision Pro popular distance learning software which is used by several teachers to control remote learning sessions.
The distance learning software implements multiple features, including viewing student screens, chat functions, and freezing student screens.
McAfee’s Advanced Threat Research (ATR) team has discovered four vulnerabilities, tracked CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195, that could be exploited by attackers for multiple malicious purposes, including taking over students’ computers.
“Our research into this software led to the discovery of four previously unreported critical issues, identified by CVE-2021-27192, CVE-2021-27193, CVE-2021-27194 and CVE-2021-27195. These findings allow for elevation of privileges and ultimately remote code execution, which could be used by a malicious attacker, within the same network, to gain full control over students’ computers.” reads the post published by McAfee.
To test the software, experts set up the Netop software in a normal configuration and environment on four virtual machines on a local network. The test environment was composed of three systems configured as students and only one as a teacher.
The first issue that emerged is that all network traffic was unencrypted and there was no option to turn it on. Experts also noticed that when students connect to the classroom they would unknowingly begin sending screenshots to the teacher.
Experts were also able to eavesdrop and modify traffic generated when a teacher starts a session. The researchers were able to modify the data to masquerade as the teacher host, perform local elevation of privilege (LPE) and achieve System privileges.
Reversing the MChat network traffic and analyzing the Chat features experts discovered that it was possible to overwrite a file and execute it with System privileges.
“With the successful MChat handshake complete we needed to send a packet that would change the “work directory” to that of our choosing. Figure 21 shows the packet as a Scapy layer used to change the work directory on the student’s PC.” continues the report. “The Netop plugin directory was a perfect target directory to change to since anything executed from this directory would be executed as System.”
Experts also discovered that Netop Vision Pro student profiles also broadcast their presence on the network every few seconds. This mechanism was implemented to search techers on every connected network, but open the doors to an attack to an entire school system.
Experts pointed out that attackers could chain these issues to get remote code execution with System privileges from any device on the local network.
“The largest impact being remote code execution of arbitrary code with System privileges from any device on the local network. This scenario has the potential to be wormable, meaning that the arbitrary binary that we run could be designed to seek out other devices and further the spread.” concludes the report. “In addition, if the “Open Enrollment” option for a classroom is configured, the Netop Vision Pro student client broadcasts its presence on the network every few seconds.”
The experts privately disclosed the flaws to the vendor on December 11, some of which were addressed with the release of the software version 9.7.2. Addressed flaws are the LPE issues and the encryption of credentials.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, distance learning software)