RE: Terminal Server vulnerabilities

["Stuart Fox \(DSL AK\)" <StuartF () datacom co nz>]

> > But I would point out something much more important : there are many
> > more local exploits than remote (on Windows just like any other OS).
> >
> > Local exploits : about 1-2 a month
> > * POSIX - OS/2 subsystem exploitation
> > * Debugging subsystem exploitation (DebPloit)
> > * 16-bit subsystem exploitation (NTVDM)
> > * Shatter Attacks
> > * Etc.
> >
> > Remote exploits : about once a year
> > * RPC/DCOM (blaster)
> > * LSASS (sasser)
> >
> > Basically, if you are logged in as an unpriviledged user on a Terminal
> > Server, you can easily become SYSTEM. If this Terminal Server is also a
> > Domain Controller, game over.
>
> You forgot one important factor - the use of IE and Outlook for the fast
> direct-to-customer delivery of local exploits.  Which *also* results in
> a Game Over....
 
Assuming that the IE/Outlook bugs are privilege escalation bugs.  There seem to be relatively few of those - all of the 
recent ones have given you credentials of the local user, not localsystem (or even admin).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html