Full Disclosure mailing list archives
RE: Re: Terminal Server vulnerabilities
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 25 Jan 2005 12:12:10 -0500
Yeah, fine, so if this bothers you use a VPN. I still it's something very few people need to worry about. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer larryseltzer () ziffdavis com -----Original Message----- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Mark Senior Sent: Tuesday, January 25, 2005 12:00 PM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Terminal Server vulnerabilities Terminal Server encrypts its traffic, yes, but it doesn't do any verification of what server it's connecting to. This is equivalent to SSL with anonymous DH key agreement - you know no eavesdroppers can listen in, but you have no idea who you're talking to. So a MiTM attack is possible, there is no difficulty decrypting the traffic - you just make the entire session terminate at the attacking end, and make a new session to the real server. Yes, most of the keypresses would be uninteresting information, but there are a few right at the start, typically between a TAB and an ENTER, that might be of some interest... The annoying thing is, the server does actually have a persistent key, which the client could verify from one connection to the next - it just doesn't; it throws the key away after the connection is established. It's not unfixable; fixing it wouldn't even break the existing protocol. The client would just have to behave like an ssh client, and check its known keys. -----Original Message----- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Larry Seltzer Sent: January 25, 2005 04:27 To: 'Daniel H. Renner'; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Re: Terminal Server vulnerabilities
[MS] claim there are no unfixed vulnerabilities to Terminal Server on Windows Server 2000 Service Pack 4. I find that hard to believe and I know you guys will know if they
are
full of it, or they are correct. Please let me know ASAP of any CURRENT vulnerabilities int Terminal Server.
Try here for starters: http://www.google.com/search?q=%22windows+terminal+server%22+exploit&s
ourceid=mozilla&start=0&start=0&ie=utf-8&oe=utf-8
(2,310 results)
Just as I figured. Based only on the first 25 or so, all of the real exploits discussed are patched and the vast majority of them apply to Windows NT 4.0 Terminal Server. The original poster asked about "CURRENT" vulnerabilities. The one remaining issue I remembered is on this page (http://www.saintcorporation.com/cgi-bin/demo_tut.pl?tutorial_name=Micro soft_Terminal_Server.html&fact_color=doc&tag=), which is also a good collection of vulnerabilities in general. It is a man-in-the-middle attack that could allow an attacker, using a collection of techniques including IP spoofing, to recover the original plaintext session. RDP, the Terminal Server protocol, is encrypted by default. The worst thing you have to do to work around this is to use a VPN, but considering what they would recover is RDP data (mouse moves, key clicks, GDI elements, etc.) I consider this a relatively high-overhead attack. Your Windows Terminal Server is much more likely to be vulnernerable to a problem in Windows than one specifically in Terminal Server, which has a very good security history. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer larryseltzer () ziffdavis com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [lists] Terminal Server vulnerabilities, (continued)
- Re: [lists] Terminal Server vulnerabilities Jan Muenther (Jan 27)
- RE: [lists] Terminal Server vulnerabilities ALD, Aditya, Aditya Lalit Deshmukh (Jan 27)
- Re: [lists] Terminal Server vulnerabilities Jan Muenther (Jan 27)
- Re: [lists] Terminal Server vulnerabilities Jonathan Rickman (Jan 26)
- Re: Terminal Server vulnerabilities Valdis . Kletnieks (Jan 27)
- RE: Re: Terminal Server vulnerabilities Larry Seltzer (Jan 25)
- Re: Terminal Server vulnerabilities offtopic (Jan 25)
- RE: Re: Terminal Server vulnerabilities Larry Seltzer (Jan 25)
- Re: Re: Terminal Server vulnerabilities Valdis . Kletnieks (Jan 25)