Penetration Testing mailing list archives

Re: Remote Desktop/Term. Serv information leakage

From: Eric Smith <defcon47 () yahoo com>
Date: Fri, 1 Jul 2005 09:15:47 -0700 (PDT)

I tried this method with several exe files and it
doesnt work on the remote side. This doesnt suprise me
since you are talking about taking a binary file (exe)
and fooling the OS into believing the contents are
Ascii (txt). When you copy what is supposed to be
ASCII  and try to convert it back to a binary form on
the remote side by renaming, the exe is corrupt.

At most, the only information leakage that you are
referring to would be documents that could be copied
and pasted over a RDP session. However, there are many
ways of transferring ascii, so this is a low risk at
most.

--- kuffya () gmail com wrote:

Hi list, 
One of our recent clients has a seperate 'isolated'
network where they keep sensitive material. This
network is not connected to the internet, is not
physically accessible and you can only connect to it
using remote desktop. They asked us to test if the
isolated network was adequately protected.
Here's what I discovered: When you start a Rem
Desktop session from the main network to the
isolated one you can actually copy and paste stuff
across...this is only true for text not for complete
files, and seems to be by design. What is more
worrisome is that you can even copy across
executables doing simple tricks such as 
1)download an executable 
2)change extension to .txt
3) copy (the text version) across to a notepad. 
4)change it back to .exe
So literally we have a significant leakage over
here, introducing threats to the isolated network. 
I am posting this to ask your opinion on how this
could be mitigated......I think that Remote Desktop
is not possible to configure securely since it's not
designed as such...and hence it transfers across
anything it receives , be it mouse movements or
copied & pasted text...
So I was trying to think what would be the best
solution, without spending a fortune on a 'secure'
commercial solution, that is. Maybe something like
SSH tunneling then Rem. Desktop or VNC or what?   
And do you think this 'bug' is something
investigating any further? Is it something you
people knew of?

Thanks a lot.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Current thread:

Remote Desktop/Term. Serv information leakage kuffya (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Joachim Schipper (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Eric Smith (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Kyle Maxwell (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Terry Vernon (Jul 01)
  - Re: Remote Desktop/Term. Serv information leakage Joachim Schipper (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Paul Fields (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Thor (Hammer of God) (Jul 01)
- <Possible follow-ups>
- RE: Remote Desktop/Term. Serv information leakage Andre Protas (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Ha, Jason (Jul 02)
- Re: Remote Desktop/Term. Serv Information leakage kuffya (Jul 02)
  - RE: Remote Desktop/Term. Serv Information leakage Paul Fields (Jul 05)
- RE: Remote Desktop/Term. Serv information leakage Salvador.Manaois (Jul 04)

(Thread continues...)