lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <58DB1B68E62B9F448DF1A276B0886DF194D97FD0@EX2010.hammerofgod.com>
Date: Sun, 18 Mar 2012 16:21:26 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Nahuel Grisolía <nahuel.grisolia@...il.com>, root
	<root_@...ertel.com.ar>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: ms12-020 PoC

You establish a connection to TSGateway via RPC over HTTP in an SSL tunnel.  Once you are authenticated and authorized, the TSGateway server will establish a connection via RDP to the target server, tunneling the RDP connection back to you within the RPC/HTTP(S) channel. 

As such, TSGateway is obviously unaffected by this vulnerability.  For those of you looking for mitigation and not kiddie code to pop a box, note that simply using NLA mitigates both RDP issues. 

This might be a good time to point out than anyone who followed any of my advice in the RDP chapter of Thor's Microsoft Security Bible, or who is using the little ThoRDP tool I wrote (also in the book) was protected from these vulnerabilities way before they were discovered.   I say that to simply identify that some simple, effective techniques can be deployed that thwarts the hours and hours people put into developing exploit code and the wasted time chasing all this stuff down.  *THAT* is what security is about, btw.  

t

>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
>bounces@...ts.grok.org.uk] On Behalf Of Nahuel Grisolía
>Sent: Friday, March 16, 2012 11:41 AM
>To: root
>Cc: full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] ms12-020 PoC
>
>Guys,
>
>What about TS Gateway? which is actually listening on port 443 (by def)...
>
>thanks!
>
>Nahu.
>
>On 16 March 2012 15:12, root <root_@...ertel.com.ar> wrote:
>> The SABU code is fake (go figure).
>> This python script is the first port of the Luigi code to python,
>> that's why sucks.
>>
>> Here are better ports: http://pastebin.com/4FnaYYMz and
>> http://pastebin.com/jzQxvnpj
>>
>> On 03/16/2012 02:50 PM, Exibar wrote:
>>> Is that the same code from yesterday?  I thought that code was a fake and
>didn'kt do anything?
>>>
>>>   Anyone confirm this?
>>>
>>>  Exibar
>>> Sent via BlackBerry by AT&T
>>>
>>> -----Original Message-----
>>> From: kyle kemmerer <krkemmerer@...il.com>
>>> Sender: full-disclosure-bounces@...ts.grok.org.uk
>>> Date: Fri, 16 Mar 2012 12:01:16
>>> To: <full-disclosure@...ts.grok.org.uk>
>>> Subject: [Full-disclosure] ms12-020 PoC
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ