Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities

[Steve Tornio <swtornio@xxxxxxx>]

On Jan 25, 2005, at 2:38 PM, Curt Purdy wrote:

> Daniel Sichel wrote:
> <snip>
> > Naturally  I
> > don't like this answer because of horror stories I have heard
> > about Terminal server. They claim there are no unfixed
> > vulnerabilities to Terminal Server on Windows Server 2000
> > Service Pack 4.
>
> The problem with terminal server is not any vulnerablities that can be
> exploited, but the fact that administrator can be bruteforced (6 
> attempts
> followed by reconnect) and that it is screaming its existence on port 
> 3889.
> If you use it, definitely change the port in the registry.

Of course, one of the very first things you should do on a Windows box 
is rename the administrator account, so this kind of blind 
brute-forcing is not possible.

Also, the problem you describe can be exacerbated in that administrator 
can be brute-forced without creating a log entry, by attempting 5 
logons and disconnecting before Windows disconnects and logs after the 
sixth failure.  This was covered in a talk at Black Hat 2003, when Ryan 
Russell and Tim Mullens released TSGrinder.  I don't know if they 
continued work on it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html