RE: Bugs? in Microsoft RDP protocol, & Questions.

["Pybus, David" <DPybus () colt-telecom com>]

What security level have you set the terminal server to as if it is set to
low it will be sending back a lot more than just its machine name
unencrypted?

Normally you wouldn't expose Terminal Services to the net so exposing things
like a machine name are no worse than in the NetBios situation you
mentioned. More importantly when exposing a TS machine to the net by default
you give anyone who can connect the opportunity to brute force the local
administrator account. This has to be prevent by configuring Terminal
Services not allow the local admin account to logon and using other accounts
instead which can be configure to lock after three failed attempt, or
whatever else your policy dictates.

Also something I have never seen anything about anywhere is how Terminal
Services implements its key generation/exchange. As there is no indication
that any type asymetric authentication occurs it seems reasonable to assume
that Terminal Services are also probably vulnerable to man in the middle
attacks.

Food for thought,
David Pybus

-----Original Message-----
From: s1gnal_9 [mailto:s1gnal_9 () sunos com]
Sent: 15 January 2002 03:41
To: vuln-dev () securityfocus com; bugtraq () securityfocus com
Subject: Bugs? in Microsoft RDP protocol, & Questions.


Today I was doing some research on the RDP protocol on my Network, I used 2
Windows XP machines.
During the authentication process when MACHINE1 connects to MACHINE2, I
found 3 interesting packets.

Packet #1
<----SNIP---->
G.O.0.N................  
<----SNIP---->
Above was sent via the system we connect to, go0n is the name of that
computer, So the computer name is sent unencrypted.

<----SNIP---->
.......5.5.2.7.4.-.6.4.  
0.-.0.0.0.0.4.5.1.-.4.3  
.0.3.9.................  
<----SNIP---->
In this tidbit, the remote system also sent the product ID of the remote
operating system, In clear text.


Packet #2
<----SNIP---->
.P"@.2..        
.4G..E..J..@.EUR..?.¨.d.¨
.e.ë.=¨¬.]P?R&P.ú......
..".à.....
Cookie: mstshash=go0n.
<---SNIP---->
Cookie? not sure what that is for.
This also sent the computer name in clear text.
mstshash? Im not sure what this is either, I'm guessing it stands for
"Microsoft Terminal Services Hash" Does it base its hash off of the remote
users username?

Packet #3
<----SNIP---->
.........\.RSA1H
<----SNIP---->
This is sent also, MS uses RSA's rc4 encryption. Not that it seems it would
pose a threat, just thought it was interesting.


The first two packets are the ones I'm most concerned about.  Instead of
getting remote usernames via Netbios protocol, people can now get the remote
computer name via the RDP protocol.

The first packet contains the Product ID number, what this means is remote
attacker can find out exactly what the remote system is running, the most
accurate way of remote OS detection for the latest Windows versions that
deploy the RDP protocol.

-- 
_______________________________________________
Get your free email from http://sunos.com
Powered by Instant Portal