Full Disclosure mailing list archives
Re: Terminal Server vulnerabilities
From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr>
Date: Thu, 27 Jan 2005 09:00:39 +0100
Hello,I agree with everyone that TS is prone to MiTM attacks, since there is no server authentication at all.
Have a look at RDESKTOP sources and you will see a plaintext key exchange at the beginning of the TS session. I suspect this key is related to the L$HYDRAENCKEY_xxx LSA secret. Building a transparent "RDP proxy" with on-the-fly decryption seems feasible.
And don't even think on using the "encryption : low" setting ! But I would point out something much more important : there are many more local exploits than remote (on Windows just like any other OS). Local exploits : about 1-2 a month * POSIX - OS/2 subsystem exploitation * Debugging subsystem exploitation (DebPloit) * 16-bit subsystem exploitation (NTVDM) * Shatter Attacks * Etc. Remote exploits : about once a year * RPC/DCOM (blaster) * LSASS (sasser) Basically, if you are logged in as an unpriviledged user on a TerminalServer, you can easily become SYSTEM. If this Terminal Server is also a Domain Controller, game over.
Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail: nicolas.ruff (at) edelweb.fr ----------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Terminal Server vulnerabilities Daniel Sichel (Jan 24)
- RE: [lists] Terminal Server vulnerabilities Curt Purdy (Jan 25)
- Re: [lists] Terminal Server vulnerabilities Steve Tornio (Jan 25)
- RE: [lists] Terminal Server vulnerabilities ALD, Aditya, Aditya Lalit Deshmukh (Jan 27)
- Re: [lists] Terminal Server vulnerabilities Jan Muenther (Jan 27)
- RE: [lists] Terminal Server vulnerabilities ALD, Aditya, Aditya Lalit Deshmukh (Jan 27)
- Re: [lists] Terminal Server vulnerabilities Jan Muenther (Jan 27)
- Re: [lists] Terminal Server vulnerabilities Steve Tornio (Jan 25)
- RE: [lists] Terminal Server vulnerabilities Curt Purdy (Jan 25)
- Re: Terminal Server vulnerabilities Valdis . Kletnieks (Jan 27)
- <Possible follow-ups>
- Re: Terminal Server vulnerabilities Daniel H. Renner (Jan 24)
- RE: Re: Terminal Server vulnerabilities Larry Seltzer (Jan 25)
- Re: Terminal Server vulnerabilities offtopic (Jan 25)
- RE: Re: Terminal Server vulnerabilities Mark Senior (Jan 25)
- RE: Re: Terminal Server vulnerabilities Larry Seltzer (Jan 25)
- Re: Re: Terminal Server vulnerabilities Valdis . Kletnieks (Jan 25)
- RE: Re: Terminal Server vulnerabilities Larry Seltzer (Jan 25)
- Re: Terminal Server vulnerabilities larry_seltzer_is_a_fraud (Jan 26)
- RE: Re: Terminal Server vulnerabilities Bob the Builder (Jan 26)
- RE: Terminal Server vulnerabilities Stuart Fox (DSL AK) (Jan 27)