lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 26 Mar 2010 10:32:43 +0000
From: wicked clown <wickedclownuk@...glemail.com>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Re: Possible RDP vulnerability

Cheers for that,

I take it back that I haven't found an vulnerability :(, but by default this
isn't enabled which is scary !!



On Fri, Mar 26, 2010 at 9:57 AM, Mr. Hinky Dink <dink@...inkydink.com>wrote:

>  There is a section in RCP-Tcp Properties on the server under
> "Environment" for "Do not allow an initial program to be launched.  Always
> show the desktop".
>
>
> ----- Original Message -----
> *From:* wicked clown <wickedclownuk@...glemail.com>
> *To:* Full-Disclosure@...ts.grok.org.uk
> *Sent:* Friday, March 26, 2010 5:04 AM
> *Subject:* [Full-disclosure] Possible RDP vulnerability
>
>  Hi Guys,
>
>
>
> I think I possible may have found a vulnerability with using RDP / Terminal
> services on windows 2003.
>
>
>
> If you lock down a server and only allow users who connect to your RDP
> connection to run certain applications, users can bypass this and run ANY
> application they want. You can do this by modifying the RDP profile /
> shortcut and add your application to the alternate shell and the shell
> working directory.
>
>
>
> When the user connects now to the RDP server the banned application will
> execute upon logging on even though the user isn’t allowed to execute the
> application if the user logs on normally. This doesn’t work with cmd.exe but
> I have been able to execute internet explorer, down a modified cmd version,
> modify the RDP profile to execute the new cmd and it works like a charm.
>
>
>
> I have only been able to tested this on windows 2003 using a local policy
> and works like a treat. Even in the wild!
>
>
>
> I have done a quick basic video which can been seen here;
>
> http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf
>
>
>
> Instead of modifying the RDP profile, I just added my application to the
> program tab.. I know the video is crappy but it’s just meant to give you an
> idea what I am talking about :)
>
>
>
> So in short, if anybody can access your server via RDP they are NOT
> restricted by the policy. I would be interested in any feed back about this
> possible exploit / vulnerability even if you don’t think it is.. or even
> better if someone knows how to defend againest it!! LOL! :)
>
>
> Cheers
>
> Wicked Clown.
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ