lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 11 Oct 2007 01:24:48 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: "Steve Shockley" <steve.shockley@...ckley.net>
Cc: bugtraq@...urityfocus.com
Subject: Re: Remote Desktop Command Fixation Attacks

Steve,

try to email someone from your company a batch file. i am sure that
that will fail, mainly because you realize that it is a security risk.
right? now try to email a .rdp or .ica file. it works 99% of all the
time.

second, please read the article. :) no offense, but you are completely
missing the point here. 3rd, users does not need to have admin rights,
these rights can be obtained with privilege escalations exercise. this
is not A to Z attack. you are missing all other letters in between.

this is just my humble opinion.

cheers,
pdp

On 10/10/07, Steve Shockley <steve.shockley@...ckley.net> wrote:
> pdp (architect) wrote:
> > The attack is rather simple. All the bad guys have to do is to compose
> > a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX)
> > file and send it to the victim. The victim is persuaded to open the
> > file by double clicking on it. When the connection is established, the
> > user will enter their credentials to login and as such let the hackers
> > in. Vicious!
>
> So, "all you have to do" is persuade the user to run an attachment and
> type in credentials.  Wouldn't it be simpler to just email the user a
> batch file and have them run it?  Why not just use the same message from
> "Tim from Tech Department" and substitute a web page for the RDP file?
>
> It's not clear from your article, but I assume you're having the user
> connect to their normal Citrix or TS farm to run the program.  First,
> why in the world would you give users administrative rights on your
> servers?  Secondly, why wouldn't you use software restriction policies
> to whitelist only allowed apps on your server?
>
>  > I will show you how easy it is to compromise a well protected Windows
> Terminal or CITRIX server
>
> No, you showed how to compromise a poorly-configured TS or Citrix server.
>
>  > Security in depth does not exist!
>
> Sounds more like shallow configurations.
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ