Full Disclosure mailing list archives

Re: Remote Desktop Command Fixation Attacks

From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 11 Oct 2007 10:12:15 -0400

Not to step in to the middle of this, but I once worked for an employer

with what I

considered the best way of stopping attacks cold: a proxy server that

prompted you for your

credentials when you went to an external web site and gp settings that

disabled the ability

to save your username/password locally as well as tight settings on the

systems to prevent

pretty much anything from being installed or modified.  So everytime you

opened up a brand

new session of ie and tried to access an external site you were prompted

for your

username/password.  Somehow I doubt there's any malware around that is

designed to survive

in that type of an environment.


(This is far enough afield that I'm not cc'ing pdp or Thor or anyone else,
just the lists).

Actually, it's trivial for malware to survive in this kind of environment.
If the proxy is HTTP-only and requires a cached http-auth header from the
browser, then the malware just has to use any port that is allowed through
the firewall directly that's not 80.

If the proxy is used to perform client authentication (Cisco, Check Point,
and other firewalls do this as well) where a browser authenticates a user
and then the proxy allows other traffic from that client IP address for
until the session expires or there is an idle time limit reached, the
malware need only persist on whatever C&C channel it uses until a user
authenticates to the proxy/firewall.  Then the traffic will still be
allowed.

In many cases, the malware will be dropped and activated *during* one of
these sessions and, at least for a short period of time, will function
unhindered.  Unless a network can authenticate clients on a per-session on
each protocol, there is still plenty of opportunity for malware to thrive.

<soapbox> This is why monitoring and detection are key elements of Defense
In Depth, whose death has been prematurely reported a lot this
year.</soapbox>

PaulM


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Remote Desktop Command Fixation Attacks pdp (architect) (Oct 10)
- Re: Remote Desktop Command Fixation Attacks Thor (Hammer of God) (Oct 10)
  - Re: Remote Desktop Command Fixation Attacks M. Burnett (Oct 11)
  - Re: Remote Desktop Command Fixation Attacks pdp (architect) (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks gjgowey (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks Obscure (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks Paul Melson (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks Alex Everett (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks Gautam R. Singh (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks gboyce (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks pdp (architect) (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks gboyce (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks Jim Harrison (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks Xo Plague (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks Pete Simpson (Oct 12)
    - Re: Remote Desktop Command Fixation Attacks John C. A. Bambenek, CISSP (Oct 11)
    - Re: Remote Desktop Command Fixation Attacks Thor (Hammer of God) (Oct 12)

(Thread continues...)