| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41F89FA7.4060501@edelweb.fr> From: ruff.lists at edelweb.fr (Nicolas RUFF (lists)) Subject: Terminal Server vulnerabilities Hello, I agree with everyone that TS is prone to MiTM attacks, since there is no server authentication at all. Have a look at RDESKTOP sources and you will see a plaintext key exchange at the beginning of the TS session. I suspect this key is related to the L$HYDRAENCKEY_xxx LSA secret. Building a transparent "RDP proxy" with on-the-fly decryption seems feasible. And don't even think on using the "encryption : low" setting ! But I would point out something much more important : there are many more local exploits than remote (on Windows just like any other OS). Local exploits : about 1-2 a month * POSIX - OS/2 subsystem exploitation * Debugging subsystem exploitation (DebPloit) * 16-bit subsystem exploitation (NTVDM) * Shatter Attacks * Etc. Remote exploits : about once a year * RPC/DCOM (blaster) * LSASS (sasser) Basically, if you are logged in as an unpriviledged user on a Terminal Server, you can easily become SYSTEM. If this Terminal Server is also a Domain Controller, game over. Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail: nicolas.ruff (at) edelweb.fr -----------------------------------
Powered by blists - more mailing lists