lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <096A04F511B7FD4995AE55F13824B833212A6C@banneretcs1.local.banneretcs.com>
Date: Wed, 9 May 2007 22:36:02 -0400
From: "Roger A. Grimes" <roger@...neretcs.com>
To: <software@...ks.gov>, <bugtraq@...urityfocus.com>
Subject: RE: RDP TLS downgrade

On a related note, I've not been able to successfully MitM RDP sessions
in over a year.  I've always used Cain & Able to test, and although it
at first appears to work, I can no longer get any usable data. In the
past, I could MitM RDP sessions and easily pull out the plaintext
passwords and encoded session information. Now, even without
authentication turned on, even without the newer RDP client, I'm not
getting any usable information. Although I have absolutely no insider
information on this (even though I work for Microsoft), it appears the
XP RDP (and later) clients have been updated to prevent casual MitM
attacks, even without the newer authentication options enabled.

Has anyone successfully captured useful RDP MitM traffic lately?

Roger

*******************************************************************
*Roger A. Grimes, Senior Security Consultant
*Microsoft Application Consulting and Engineering (ACE) Services  
*http://blogs.msdn.com/ace_team/default.aspx
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@...neretcs.com or rogrim@...rosoft.com
*******************************************************************



-----Original Message-----
From: software@...ks.gov [mailto:software@...ks.gov] 
Sent: Wednesday, May 09, 2007 8:45 AM
To: bugtraq@...urityfocus.com
Subject: RDP TLS downgrade

For those using TLS with Microsoft's Terminal server.  

With Terminal server installed on Windows 2003 Server with current
service packs and patches it is possible to bypass the server side
setting that requires SSL with a self-signed cert.

You will automatically be downgraded to not using TLS and not be
notified.  The padlock will be missing on the RDP banner.

Why is this a problem?

Using a cert and SSL was MS answer to prevent man in the middle attacks
when using RDP.  You may think that you are protected but you are not.

This behavior exposes itself when you use the RDP 6.0 client.  Nothing
else is required.

I have not tested it with a trusted cert via verisign or others but I
expect the results will be the same.

To recreate:  Install MS Windows 2003 server, install Terminal services,
set the server setting encryption level to high and require SSL.

Use RDP client 5.2, set to no authentication, should fail to connect.

Use RDP client 6.0 set to always connect even if authetication fails.
This should bypass the server settings and connect downgraded.

It is interesting that the client side piece can control the server
settings....

MS sec response contacted, did not see it as a problem.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ