Research Machines (RM) are "The Leading Supplier of Software, Services and Systems to UK Education". Mainly seen in High Schools in the UK. The following was revealed too them well over 6 months ago. I received no reply from my email.
a) Publicly Availiable Admin Tools b) Publicily Writable Status Manager c) .EXE Executions a) The administration tools used to "monitor students while they work" and that can also be used to control student's computers, modify student's files and even change passwords is installed on every single computer and can be executed by every single user. I've found this to be true of around 200 computers (located in different rooms, installed at different times) at my school. The program can be found in its default location here: C:\Program Files\Research Machines\RM Tutor 2\Controller\TeacherLaunch.exe b) The 'RM Status Manager' is a script that allows you to view your remaining "printer credits", remaining quota space, etc. This file is simply a html/vbscript file located on every computer's hdd. It can be accessed AND edited at its default location: C:\RMExplorerURL\Status.htm Obviously this has many security implications, especially if an outdated version of Internet Explorer (which is used to view this file) is installed. c) Execution of .exe located from the user's "home directory" (N:) is restricted by default. This can be defeated by using Windows XP's zipping feature and adding the .exe file to a .zip file and THEN opening the .zip file and running the .exe 'from' the .zip file. This will cause windows the extract the .exe file to a default temporary directory, the default temporary directory is on C: ! Which means we have rights execute it. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html