Security tool report MeshCentralRouter is monitring keyboard

Question

Security tool report MeshCentralRouter is monitring keyboard

Closed this issue 4 years ago · 9 comments

Thanks for your excellent work and bring MeshCentralRouter to another level after introduced "Remote Desktop" and "File Manager", which make MeshCentralRouter not only a route tool but a semi MeshCentral client software.

One thing I noticed after I started to use the version with "Remote Desktop" and "File manager" function, some time I got message from my security tool that MeshCentralRouter is monioring the key press, which I didn't get this kind of alert before.
I'm not sure if that key hook is required for cerntain feature, but even I only use the route function that key hook alert still shows up.

Just woud like to check with you if it's global key hook accross programs, or only applies to MeshCentralRouter.
If it's only key hook for MeshCentralRouter only, it's not a problem.
If it's global key hook accross for all programs, it might be good to only start global key hook when needed for certain feature to have less security concern. E.g. if gobal key hook is only required by "Remote Desktop" and not others function(eg. route), the global key hook should be activated when started "Remote Desktop".
Hope it make sense.

Answer 1 · 2020-11-16T01:45:05.000Z

Arg. It's probably because of this commit. Basically, this person wanted the windows key to work in the remote desktop viewer that is built into MeshCentral Router. The way the windows key is trapped uses a technique that will probably not make your security software happy. I can take a look at making this feature optional so that if you don't use the remote desktop feature's window key trapping, you can not use it.

Answer 2 · 2020-11-18T21:16:58.000Z

@Ylianst I can handle that. I'll have something here soon.

Answer 3 · 2020-11-18T21:22:41.000Z

@maccn what software are you using I would like to test fixes as I work on it

Answer 4 · 2020-11-19T00:06:51.000Z

@Ylianst what I will do is I will extract it out into the kvm window, and have a check that will check to see if the "experimental" feature (may make your av mad) enabled

Answer 5 · 2020-11-21T01:09:44.000Z

Will have tomorrow night migrane tonight

Answer 6 · 2020-11-27T22:25:31.000Z

Thanks @cookta2012 for the PR. Not sure how it will fix this (??) but changes will be in MeshCentral v0.7.4.

Answer 7 · 2020-11-27T22:40:51.000Z

@Yilanst The actual hook was being registered at startup, so it was constantly listening to the keyboard and just ignoring what is not needed. Now the new code only registers a keyboard hook when specifically allowed on a per remote desktop basis. before the hook was when the main form was open. now it registers the hook (and the callback) at the same time when a remote desktop window is opened if and only if the keyboard hook is desired. so the theory is it should not be "oh it is listening all the time" only when in use. Via remote desktop. The two check boxes i hope are self explanatory tho. the bottom one totally switches to the hook for all input if people with actual unicode input schemes (arabic) (script inputs) have a problem I may have to look at it again but it should work. As far as the first checkbox it is your hybrid approach. Whatever you do not set as handled, it will take and push that over the connection to the remote computer.

…

On Fri, Nov 27, 2020 at 4:25 PM Ylian Saint-Hilaire < ***@***.***> wrote: Thanks @cookta2012 <https://github.com/cookta2012> for the PR. Not sure how it will fix this (??) but changes will be in MeshCentral v0.7.4. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJZSOS466L3UFR42UNIOHLSSAROPANCNFSM4TQAPIXA> .

Answer 8 · 2020-11-27T23:13:28.000Z

@Ylianst see above

Answer 9 · 2020-11-29T20:05:27.000Z

Oh! I get it now. I reviewed the code and it looked good, but what I missed is that you added the keyboard settings in the settings dialog for the port mappings. I changed it now so it's in the "Device Settings" dialog in it's own section.

This said, it should really be something you set in the "Remote Desktop Settings" dialog in the remote desktop viewer itself...

This is the obvious place one would look for this. Ideally, it would require that the keyboard hooking change in the middle of a desktop session.