Re: Possible RDP vulnerability

[wicked clown <wickedclownuk () googlemail com>]

Cheers for that,

I take it back that I haven't found an vulnerability :(, but by default this
isn't enabled which is scary !!



On Fri, Mar 26, 2010 at 9:57 AM, Mr. Hinky Dink <dink () mrhinkydink com>wrote:

>  There is a section in RCP-Tcp Properties on the server under
> "Environment" for "Do not allow an initial program to be launched.  Always
> show the desktop".
>
>
> ----- Original Message -----
> *From:* wicked clown <wickedclownuk () googlemail com>
> *To:* Full-Disclosure () lists grok org uk
> *Sent:* Friday, March 26, 2010 5:04 AM
> *Subject:* [Full-disclosure] Possible RDP vulnerability
>
>  Hi Guys,
>
>
>
> I think I possible may have found a vulnerability with using RDP / Terminal
> services on windows 2003.
>
>
>
> If you lock down a server and only allow users who connect to your RDP
> connection to run certain applications, users can bypass this and run ANY
> application they want. You can do this by modifying the RDP profile /
> shortcut and add your application to the alternate shell and the shell
> working directory.
>
>
>
> When the user connects now to the RDP server the banned application will
> execute upon logging on even though the user isn’t allowed to execute the
> application if the user logs on normally. This doesn’t work with cmd.exe but
> I have been able to execute internet explorer, down a modified cmd version,
> modify the RDP profile to execute the new cmd and it works like a charm.
>
>
>
> I have only been able to tested this on windows 2003 using a local policy
> and works like a treat. Even in the wild!
>
>
>
> I have done a quick basic video which can been seen here;
>
> http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf
>
>
>
> Instead of modifying the RDP profile, I just added my application to the
> program tab.. I know the video is crappy but it’s just meant to give you an
> idea what I am talking about :)
>
>
>
> So in short, if anybody can access your server via RDP they are NOT
> restricted by the policy. I would be interested in any feed back about this
> possible exploit / vulnerability even if you don’t think it is.. or even
> better if someone knows how to defend againest it!! LOL! :)
>
>
> Cheers
>
> Wicked Clown.
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/