[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Possible RDP vulnerability

To: <Full-Disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Possible RDP vulnerability
From: "Mr. Hinky Dink" <dink@xxxxxxxxxxxxxxx>
Date: Fri, 26 Mar 2010 05:57:21 -0400

There is a section in RCP-Tcp Properties on the server under "Environment" for 
"Do not allow an initial program to be launched.  Always show the desktop".

  ----- Original Message ----- 
  From: wicked clown 
  To: Full-Disclosure@xxxxxxxxxxxxxxxxx 
  Sent: Friday, March 26, 2010 5:04 AM
  Subject: [Full-disclosure] Possible RDP vulnerability

  Hi Guys,

  I think I possible may have found a vulnerability with using RDP / Terminal 
services on windows 2003. 

  If you lock down a server and only allow users who connect to your RDP 
connection to run certain applications, users can bypass this and run ANY 
application they want. You can do this by modifying the RDP profile / shortcut 
and add your application to the alternate shell and the shell working directory.

  When the user connects now to the RDP server the banned application will 
execute upon logging on even though the user isn’t allowed to execute the 
application if the user logs on normally. This doesn’t work with cmd.exe but I 
have been able to execute internet explorer, down a modified cmd version, 
modify the RDP profile to execute the new cmd and it works like a charm.

  I have only been able to tested this on windows 2003 using a local policy and 
works like a treat. Even in the wild! 

  I have done a quick basic video which can been seen here;

  http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf

  Instead of modifying the RDP profile, I just added my application to the 
program tab.. I know the video is crappy but it’s just meant to give you an 
idea what I am talking about :)

  So in short, if anybody can access your server via RDP they are NOT 
restricted by the policy. I would be interested in any feed back about this 
possible exploit / vulnerability even if you don’t think it is.. or even better 
if someone knows how to defend againest it!! LOL! :)

  Cheers

  Wicked Clown.

------------------------------------------------------------------------------

  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
  Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Possible RDP vulnerability
  - From: wicked clown

References:
- [Full-disclosure] Possible RDP vulnerability
  - From: wicked clown

Prev by Date: [Full-disclosure] Possible RDP vulnerability
Next by Date: Re: [Full-disclosure] Possible RDP vulnerability
Previous by thread: [Full-disclosure] Possible RDP vulnerability
Next by thread: Re: [Full-disclosure] Possible RDP vulnerability
Index(es):
- Date
- Thread