Penetration Testing mailing list archives
Re: TS/3389 risk on Internet
From: Tim <tim-pentest () sentinelchicken org>
Date: Mon, 1 Nov 2004 22:43:03 -0500
If you choose to do this you need to enable high encryption which uses 128 bit and change the port TS listens on. http://support.microsoft.com/default.aspx?scid=187623
I think the originator of this thread is aware of this problem, but based on many of the other posts, it appears others aren't, so I'll post it here: http://seclists.org/lists/bugtraq/2003/Apr/0038.html AFAIK, M$ has changed nothing to fix this major design flaw. My point here is, no amount of encryption will do any good if you aren't authenticating who you are sending it to, as a client. If you can masquerade as the server, then you should be able to inject your own session keys, and read any data coming from the client, which would include any login passwords. (If there have been any recent changes by M$ in newer versions which correct this, please, do tell.) Come to think of it, perhaps using an alternative client (rdesktop?) one could authenticate and store server keys/fingerprints, fixing this user-interface flaw. I haven't touched Windoze in a while, does anyone know if this feature is available in alternative clients? thanks, tim
Current thread:
- Re: TS/3389 risk on Internet Lennart Sorth (Nov 01)
- <Possible follow-ups>
- Re: TS/3389 risk on Internet Adam Jones (Nov 01)
- Re: TS/3389 risk on Internet Jeffrey Clark (Nov 01)
- RE: TS/3389 risk on Internet Keith T. Morgan (Nov 01)
- RE: TS/3389 risk on Internet Peadro, Jeff (AIS) (Nov 01)
- Re: TS/3389 risk on Internet Tim (Nov 03)
- Re: TS/3389 risk on Internet Travis Potter (Nov 01)
- Re: TS/3389 risk on Internet Neale Green (Nov 03)
- Re: TS/3389 risk on Internet Davide Carnevali (Nov 01)
- RE: TS/3389 risk on Internet sk3tch (Nov 03)
- RE: TS/3389 risk on Internet Todd Towles (Nov 03)