lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5bc8bc291003260204r7ac6705h5c4fd4a95822c2d6@mail.gmail.com>
Date: Fri, 26 Mar 2010 09:04:11 +0000
From: wicked clown <wickedclownuk@...glemail.com>
To: Full-Disclosure@...ts.grok.org.uk
Subject: Possible RDP vulnerability

Hi Guys,



I think I possible may have found a vulnerability with using RDP / Terminal
services on windows 2003.



If you lock down a server and only allow users who connect to your RDP
connection to run certain applications, users can bypass this and run ANY
application they want. You can do this by modifying the RDP profile /
shortcut and add your application to the alternate shell and the shell
working directory.



When the user connects now to the RDP server the banned application will
execute upon logging on even though the user isn’t allowed to execute the
application if the user logs on normally. This doesn’t work with cmd.exe but
I have been able to execute internet explorer, down a modified cmd version,
modify the RDP profile to execute the new cmd and it works like a charm.



I have only been able to tested this on windows 2003 using a local policy
and works like a treat. Even in the wild!



I have done a quick basic video which can been seen here;

http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf



Instead of modifying the RDP profile, I just added my application to the
program tab.. I know the video is crappy but it’s just meant to give you an
idea what I am talking about :)



So in short, if anybody can access your server via RDP they are NOT
restricted by the policy. I would be interested in any feed back about this
possible exploit / vulnerability even if you don’t think it is.. or even
better if someone knows how to defend againest it!! LOL! :)


Cheers

Wicked Clown.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ