[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Possible RDP vulnerability
- To: wicked clown <wickedclownuk@xxxxxxxxxxxxxx>, "Full-Disclosure@xxxxxxxxxxxxxxxxx" <Full-Disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Possible RDP vulnerability
- From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
- Date: Fri, 26 Mar 2010 14:13:32 +0000
There's nothing "scary" about it. I believe you are incorrectly asserting
that the inclusion of the "start the following program on connection" has
something to do with "locking down the server" and/or "only allow(ing) users
who connect to your server to run certain applications." I would suggest that
you study up on what RDP is and how it works before posting things like this.
Consider "locking down RDP" a process similar to "locking down a local host."
Use permissions and other host/OS based controls to secure what a user can and
can't do on a host.
t
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of wicked clown
Sent: Friday, March 26, 2010 3:33 AM
To: Full-Disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Possible RDP vulnerability
Cheers for that,
I take it back that I haven't found an vulnerability :(, but by default this
isn't enabled which is scary !!
On Fri, Mar 26, 2010 at 9:57 AM, Mr. Hinky Dink
<dink@xxxxxxxxxxxxxxx<mailto:dink@xxxxxxxxxxxxxxx>> wrote:
There is a section in RCP-Tcp Properties on the server under "Environment" for
"Do not allow an initial program to be launched. Always show the desktop".
----- Original Message -----
From: wicked clown<mailto:wickedclownuk@xxxxxxxxxxxxxx>
To: Full-Disclosure@xxxxxxxxxxxxxxxxx<mailto:Full-Disclosure@xxxxxxxxxxxxxxxxx>
Sent: Friday, March 26, 2010 5:04 AM
Subject: [Full-disclosure] Possible RDP vulnerability
Hi Guys,
I think I possible may have found a vulnerability with using RDP / Terminal
services on windows 2003.
If you lock down a server and only allow users who connect to your RDP
connection to run certain applications, users can bypass this and run ANY
application they want. You can do this by modifying the RDP profile / shortcut
and add your application to the alternate shell and the shell working directory.
When the user connects now to the RDP server the banned application will
execute upon logging on even though the user isn't allowed to execute the
application if the user logs on normally. This doesn't work with cmd.exe but I
have been able to execute internet explorer, down a modified cmd version,
modify the RDP profile to execute the new cmd and it works like a charm.
I have only been able to tested this on windows 2003 using a local policy and
works like a treat. Even in the wild!
I have done a quick basic video which can been seen here;
http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf
Instead of modifying the RDP profile, I just added my application to the
program tab.. I know the video is crappy but it's just meant to give you an
idea what I am talking about :)
So in short, if anybody can access your server via RDP they are NOT restricted
by the policy. I would be interested in any feed back about this possible
exploit / vulnerability even if you don't think it is.. or even better if
someone knows how to defend againest it!! LOL! :)
Cheers
Wicked Clown.
________________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/