Full Disclosure mailing list archives

RE:XP Remote Desktop Remote Activation

From: "RandallM" <randallm () fidmail com>
Date: Sat, 2 Oct 2004 12:56:24 -0500

Would access to command shell be accomplished via the recent ZoneID hole if
such Administration password access is not available? Or perhaps even with
the launching
Of the MS04-028 exploit? Of course any Terminal usage on home pc's are
noticed because users
are locked out. Now terminal servers are a differnet story but user
intervention is still needed.

thank you
Randall M
 
 

<|>--__--__--
<|>
<|>Message: 3
<|>Date: Fri, 1 Oct 2004 23:50:45 -0500
<|>From: Fixer <fixer907 () gmail com>
<|>Reply-To: Fixer <fixer907 () gmail com>
<|>To: full-disclosure () lists netsys com
<|>Subject: [Full-disclosure] XP Remote Desktop Remote Activation
<|>
<|>------=_Part_505_31077403.1096692645033
<|>Content-Type: text/plain; charset=US-ASCII
<|>Content-Transfer-Encoding: 7bit
<|>Content-Disposition: inline
<|>
<|>XP Remote Desktop Remote Activation
<|>
<|>
<|>Information
<|>____________________________________________________________________
<|>Windows XP Professional provides a service called Remote Desktop,
<|>which allows a user to remotely control the desktop as if he or she
<|>were in front of the system locally (ala VNC, pcAnywhere, etc.).
<|>
<|>By default, Remote Desktop is shipped with this service 
<|>turned off and
<|>only the Administrator is allowed access to this service.  It is
<|>possible, however, to modify a series of registry keys that may allow
<|>a malicious user who has already gained a command shell to activate
<|>Remote Desktop and add a user they have created for 
<|>themselves as well
<|>as to hide that user so that it will not show up as a user in the
<|>Remote Desktop user list.  The instructions for this are attached. 
<|>Additionally, I have listed a sample .reg file of the type that is
<|>discussed in the instructions below.
<|>_____________________________________________________________________
<|>

<SNIP>

<|>--__--__--
<|>
<|>Message: 6
<|>From: "Dominick Baier" <seclists () leastprivilege com>
<|>To: "'Fixer'" <fixer907 () gmail com>, 
<|><full-disclosure () lists netsys com>
<|>Subject: RE: [Full-disclosure] XP Remote Desktop Remote Activation
<|>Date: Sat, 2 Oct 2004 17:43:11 +0200
<|>
<|>if you have an administrator password for the machine you 
<|>can just use WMIC
<|>to turn remote desktop on.
<|>
<|>wmic /NODE:Server /USER:administrator RDTOGGLE WHERE 
<|>ServerName="Server"
<|>CALL SetAllowTSConnections 1
<|>
<|>End of Full-Disclosure Digest
<|>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

XP Remote Desktop Remote Activation Fixer (Oct 02)
- Re: XP Remote Desktop Remote Activation morning_wood (Oct 02)
  - Re: XP Remote Desktop Remote Activation Joel R. Helgeson (Oct 02)
- RE: XP Remote Desktop Remote Activation Dominick Baier (Oct 02)
  - Re: XP Remote Desktop Remote Activation Fixer (Oct 02)
- RE: XP Remote Desktop Remote Activation Larry Seltzer (Oct 02)
- Re: XP Remote Desktop Remote Activation H D Moore (Oct 03)
  - Re: XP Remote Desktop Remote Activation Fixer (Oct 03)
- <Possible follow-ups>
- RE:XP Remote Desktop Remote Activation RandallM (Oct 02)
- Re: XP Remote Desktop Remote Activation Fixer (Oct 02)