LanSchool Keylogger Vulnerability

The network monitoring program LanSchool is often used to keep an eye on students, similar to other programs like Vision6 and SynchronEyes. It has features such as remote control (local user loses all control), task manager disabling, port 80 blocking, and keylogging. The keylogger, which stores its information on the computer from which the data is captured, is especially vulnerable to exploitation, as it may contain passwords and other sensitive data that people may have typed on the computer.

The LanSchool keylogger stores its data in a file called 'lskdata.bin' encrypted with a slightly modified substitution cipher. Every key can have one of four possible single byte values based on the byte's absolute position in the file, mod 4. For example, if the letter 'a' was encoded at position 739, its value would be 106, because this is the value for 'a' at position 3 (739 % 4 = 3). Clearly, by typing four consecutive characters of 'a' and reading the output, one would have enough information to consistently decode this letter. This technique was used to generate the table of character-value associations.

Reading in one of the files using these tables to automatically look up each character was very successful.

If one holds down the shift key and presses multiple letters, LanSchool seems to only record the first letter as capitalized. This may be a bug in their code, or it may suggest a lack of complete understanding of the system, but this means that capital letters typed in succession may not be read correctly (e.g., "ABCdEF" might be read as "AbcdEf").

Further, LanSchool only stores the last 50,000 key presses. The information would have to be gathered and merged periodically to maintain a full record. However, to quote the LanSchool website (lanschool.com) this is “weeks of keystrokes.”