Bugs? in Microsoft RDP protocol, & Questions.

["s1gnal_9 " <s1gnal_9 () sunos com>]

Today I was doing some research on the RDP protocol on my Network, I used 2 Windows XP machines.
During the authentication process when MACHINE1 connects to MACHINE2, I found 3 interesting packets.

Packet #1
<----SNIP---->
G.O.0.N................  
<----SNIP---->
Above was sent via the system we connect to, go0n is the name of that computer, So the computer name is sent 
unencrypted.

<----SNIP---->
.......5.5.2.7.4.-.6.4.  
0.-.0.0.0.0.4.5.1.-.4.3  
.0.3.9.................  
<----SNIP---->
In this tidbit, the remote system also sent the product ID of the remote operating system, In clear text.


Packet #2
<----SNIP---->
.P"@.2..        
.4G..E..J..@.€..‰.¨.d.¨
.e.ë.=¨¬.]P?R&P.ú......
..".à.....
Cookie: mstshash=go0n.
<---SNIP---->
Cookie? not sure what that is for.
This also sent the computer name in clear text.
mstshash? Im not sure what this is either, I'm guessing it stands for "Microsoft Terminal Services Hash" Does it base 
its hash off of the remote users username?

Packet #3
<----SNIP---->
.........\.RSA1H
<----SNIP---->
This is sent also, MS uses RSA's rc4 encryption. Not that it seems it would pose a threat, just thought it was 
interesting.


The first two packets are the ones I'm most concerned about.  Instead of getting remote usernames via Netbios protocol, 
people can now get the remote computer name via the RDP protocol.

The first packet contains the Product ID number, what this means is remote attacker can find out exactly what the 
remote system is running, the most accurate way of remote OS detection for the latest Windows versions that deploy the 
RDP protocol.

-- 
_______________________________________________
Get your free email from http://sunos.com
Powered by Instant Portal