Full Disclosure mailing list archives
Possible RDP vulnerability
From: wicked clown <wickedclownuk () googlemail com>
Date: Fri, 26 Mar 2010 09:04:11 +0000
Hi Guys, I think I possible may have found a vulnerability with using RDP / Terminal services on windows 2003. If you lock down a server and only allow users who connect to your RDP connection to run certain applications, users can bypass this and run ANY application they want. You can do this by modifying the RDP profile / shortcut and add your application to the alternate shell and the shell working directory. When the user connects now to the RDP server the banned application will execute upon logging on even though the user isn’t allowed to execute the application if the user logs on normally. This doesn’t work with cmd.exe but I have been able to execute internet explorer, down a modified cmd version, modify the RDP profile to execute the new cmd and it works like a charm. I have only been able to tested this on windows 2003 using a local policy and works like a treat. Even in the wild! I have done a quick basic video which can been seen here; http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf Instead of modifying the RDP profile, I just added my application to the program tab.. I know the video is crappy but it’s just meant to give you an idea what I am talking about :) So in short, if anybody can access your server via RDP they are NOT restricted by the policy. I would be interested in any feed back about this possible exploit / vulnerability even if you don’t think it is.. or even better if someone knows how to defend againest it!! LOL! :) Cheers Wicked Clown.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Possible RDP vulnerability wicked clown (Mar 26)
- Re: Possible RDP vulnerability Mr. Hinky Dink (Mar 26)
- Re: Possible RDP vulnerability wicked clown (Mar 26)
- Re: Possible RDP vulnerability Thor (Hammer of God) (Mar 26)
- Re: Possible RDP vulnerability wicked clown (Mar 26)
- Re: Possible RDP vulnerability Thor (Hammer of God) (Mar 26)
- Re: Possible RDP vulnerability wicked clown (Mar 27)
- Re: Possible RDP vulnerability Dan Kaminsky (Mar 27)
- Re: Possible RDP vulnerability Thor (Hammer of God) (Mar 27)
- Re: Possible RDP vulnerability Dan Kaminsky (Mar 27)
- Re: Possible RDP vulnerability Thor (Hammer of God) (Mar 27)
- Re: Possible RDP vulnerability wicked clown (Mar 26)
- Re: Possible RDP vulnerability Mr. Hinky Dink (Mar 26)