Penetration Testing mailing list archives
Re: RE: Microsoft RDP Priv. Escalation
From: "Jarrod Frates" <jfrates.ml () gmail com>
Date: Wed, 9 Apr 2008 10:40:56 -0700
On Tue, Apr 8, 2008 at 8:04 PM, <Yousif () vapt-sec com> wrote:
The information about the insecurity isn't illegal as I did not use valid information from any .RDP connection file.
While it technically may not have been illegal, it was almost certainly an ethical breach. If this is a real exploit (and I am withholding judgment at this point as I have not tested the reported circumstances), disclosing it in public without the explicit approval of your client is unethical, and may even be a breach of contract. On top of that, publicizing an exploit without notifying the vendor is irresponsible disclosure, another ethical lapse. What is unclear here is whether the cmd.exe was disabled or merely hidden, and even if it was disabled whether batch processing was disabled, which could account for this. -- Jarrod Frates, GAWN ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Microsoft RDP Priv. Escalation Yousif (Apr 06)
- Re: Microsoft RDP Priv. Escalation Mark Owen (Apr 08)
- RE: Microsoft RDP Priv. Escalation Thor (Hammer of God) (Apr 08)
- <Possible follow-ups>
- Re: Re: Microsoft RDP Priv. Escalation Yousif (Apr 09)
- Re: RE: Microsoft RDP Priv. Escalation Yousif (Apr 09)
- Re: RE: Microsoft RDP Priv. Escalation Jarrod Frates (Apr 09)
- Computer Security Videos Trent Williams (Apr 09)
- RE: Computer Security Videos Timmothy Lester (Apr 09)
- Re: Computer Security Videos Dotzero (Apr 09)
- Re: Computer Security Videos Nathan Sportsman (Apr 09)
- Re: Computer Security Videos Leonardo Cavallari Militelli (Apr 09)
- Re: Computer Security Videos Paul Asadoorian (Apr 09)
- Re: RE: Microsoft RDP Priv. Escalation Jarrod Frates (Apr 09)
- Re: Computer Security Videos Jon R. Kibler (Apr 09)
- RE: Computer Security Videos Timmothy Lester (Apr 09)
- Re: Computer Security Videos CJ (Apr 09)
- Re: Computer Security Videos Hugo Fortier (Apr 09)