lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 26 Mar 2010 15:30:40 +0000
From: wicked clown <wickedclownuk@...glemail.com>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Re: Possible RDP vulnerability

Thank you for your comment.

What I was referring to it being scary is that if you create a locked down
group policy that is tighter than a ducks bum and you forget that single
tick (I admit I didn't knew of that option and I bet lots of other people
didn't know about it) you leave your system to total pwnage!! It's simple
mistakes like that which compromises systems.

If I found this before MS10-015 patch was released I could of download that
exploit and gain system level permission, so no user based permission or
access control would of stopped me.



On Fri, Mar 26, 2010 at 2:13 PM, Thor (Hammer of God)
<Thor@...merofgod.com>wrote:

> There’s nothing “scary” about it.   I believe you are incorrectly asserting
> that the inclusion of the “start the following program on connection” has
> something to do with “locking down the server” and/or “only allow(ing) users
> who connect to your server to run certain applications.”   I would suggest
> that you study up on what RDP is and how it works before posting things like
> this.
>
>
>
> Consider “locking down RDP” a process similar to “locking down a local
> host.”  Use permissions and other host/OS based controls to secure what a
> user can and can’t do on a host.
>
>
>
> t
>
>
>
>
>
>
>
> *From:* full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-bounces@...ts.grok.org.uk] *On Behalf Of *wicked clown
> *Sent:* Friday, March 26, 2010 3:33 AM
>
> *To:* Full-Disclosure@...ts.grok.org.uk
> *Subject:* Re: [Full-disclosure] Possible RDP vulnerability
>
>
>
> Cheers for that,
>
> I take it back that I haven't found an vulnerability :(, but by default
> this isn't enabled which is scary !!
>
>
> On Fri, Mar 26, 2010 at 9:57 AM, Mr. Hinky Dink <dink@...inkydink.com>
> wrote:
>
> There is a section in RCP-Tcp Properties on the server under "Environment"
> for "Do not allow an initial program to be launched.  Always show the
> desktop".
>
>
>
> ----- Original Message -----
>
> *From:* wicked clown <wickedclownuk@...glemail.com>
>
> *To:* Full-Disclosure@...ts.grok.org.uk
>
> *Sent:* Friday, March 26, 2010 5:04 AM
>
> *Subject:* [Full-disclosure] Possible RDP vulnerability
>
>
>
> Hi Guys,
>
>
>
> I think I possible may have found a vulnerability with using RDP / Terminal
> services on windows 2003.
>
>
>
> If you lock down a server and only allow users who connect to your RDP
> connection to run certain applications, users can bypass this and run ANY
> application they want. You can do this by modifying the RDP profile /
> shortcut and add your application to the alternate shell and the shell
> working directory.
>
>
>
> When the user connects now to the RDP server the banned application will
> execute upon logging on even though the user isn’t allowed to execute the
> application if the user logs on normally. This doesn’t work with cmd.exe but
> I have been able to execute internet explorer, down a modified cmd version,
> modify the RDP profile to execute the new cmd and it works like a charm.
>
>
>
> I have only been able to tested this on windows 2003 using a local policy
> and works like a treat. Even in the wild!
>
>
>
> I have done a quick basic video which can been seen here;
>
> http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf
>
>
>
> Instead of modifying the RDP profile, I just added my application to the
> program tab.. I know the video is crappy but it’s just meant to give you an
> idea what I am talking about :)
>
>
>
> So in short, if anybody can access your server via RDP they are NOT
> restricted by the policy. I would be interested in any feed back about this
> possible exploit / vulnerability even if you don’t think it is.. or even
> better if someone knows how to defend againest it!! LOL! :)
>
>
>
> Cheers
>
> Wicked Clown.
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ