Penetration Testing mailing list archives

RE: Re: Microsoft RDP Priv. Escalation

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Tue, 15 Apr 2008 07:35:28 -0700

So, let me see if I get this right:

You're "unsure" of what the admin may or may not have done regarding
permissions or rights, yet you have no problem with publishing a
"vulnerability in the rdp protocol" touting "privilege escalation"
complete with a trite photo of Bill Gates "praying?"  

You are in fact, and by your own admission, "guessing" about what type
of account is used??  This is simply ridiculous. 

Sir, may I suggest in the future that you use these forums to first
"learn" what you need to know before immediately posting and publishing
"vulnerability" information regarding technologies that you obviously
don't understand.  It's not just that you embarrass yourself, but more
importantly, this type of irresponsible posting only serves to distract
and confuse those who may trust that you are qualified to advise them of
RDP security issues.  Did you even bother sending off a note to
secure@microsoft first?  

For those of you following along, here's all you have to do to test
this: Log on to the RDP host and set "deny rx" on notepad.exe.  Using
MSTSC, select "start program on connect" and use, say, calc.exe.  Log on
- you'll see "calc" run.  Perfect.  Now do the same thing but use
"notepad.exe" instead then logon again - oops!  "Access denied."  You
can also just save the .rdp file and edit "alternate shell," but it will
do the same thing.

Improperly deployed/secured Terminal Services/Remote Desktop solutions
can indeed introduce serious security issues into your infrastructure.
That's why it is important to do your research before deploying them.
But as a researcher dispensing information on security, it is even more
important for you to perform your technical due diligence in a
professional manner before posting vulnerabilities based on things you
are "unsure" of or "guessing" about.  Sorry to sound rude, but things
are hard enough already without adding more FUD. 

t

-----------
Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas
2008! 
There are also some other great NGS classes available lead by
world-class researchers and trainers.
http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Yousif () Vapt-Sec com
Sent: Sunday, April 13, 2008 9:06 AM
To: pen-test () securityfocus com
Subject: Re: Re: Microsoft RDP Priv. Escalation

Memet - Alright, how the admin went about disabling access to that
file, im unsure, my guess is, I was using a very limited user account,
and limited meaning, the way Windows limits "those" kind of accounts.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Re: Computer Security Videos, (continued)
- - - Re: Computer Security Videos Leonardo Cavallari Militelli (Apr 09)
    - Re: Computer Security Videos Paul Asadoorian (Apr 09)
    - Re: Computer Security Videos Jon R. Kibler (Apr 09)
    - RE: Computer Security Videos Timmothy Lester (Apr 09)
    - Re: Computer Security Videos CJ (Apr 09)
    - Re: Computer Security Videos Hugo Fortier (Apr 09)
    - Re: Computer Security Videos Tim Tiernan (Apr 11)
  - Re: Microsoft RDP Priv. Escalation Memet Anwar (Apr 09)
  - RE: RE: Microsoft RDP Priv. Escalation Thor (Hammer of God) (Apr 09)
- Re: Re: Microsoft RDP Priv. Escalation Yousif (Apr 13)
  - RE: Re: Microsoft RDP Priv. Escalation Thor (Hammer of God) (Apr 16)