RE: Bugs? in Microsoft RDP protocol, & Questions.

["Dom De Vitto" <Dom () DeVitto com>]

Agreed, but it's information leakage at best, giving a sniffer
a good starting place for leveraging a known username on the TS,
and quite possibly the client (as they are often the same across
domains and even Oses).

Dom

 |-----Original Message-----
 |From: Pybus, David [mailto:DPybus () colt-telecom com] 
 |Sent: Wednesday, January 16, 2002 12:05 PM
 |To: 's1gnal_9 '; vuln-dev () securityfocus com; bugtraq () securityfocus com
 |Subject: RE: Bugs? in Microsoft RDP protocol, & Questions.
 |
 |
 |What security level have you set the terminal server to as if 
 |it is set to low it will be sending back a lot more than just 
 |its machine name unencrypted?
 |
 |Normally you wouldn't expose Terminal Services to the net so 
 |exposing things like a machine name are no worse than in the 
 |NetBios situation you mentioned. More importantly when 
 |exposing a TS machine to the net by default you give anyone 
 |who can connect the opportunity to brute force the local 
 |administrator account. This has to be prevent by configuring 
 |Terminal Services not allow the local admin account to logon 
 |and using other accounts instead which can be configure to 
 |lock after three failed attempt, or whatever else your policy 
 |dictates.
 |
 |Also something I have never seen anything about anywhere is 
 |how Terminal Services implements its key generation/exchange. 
 |As there is no indication that any type asymetric 
 |authentication occurs it seems reasonable to assume that 
 |Terminal Services are also probably vulnerable to man in the 
 |middle attacks.
 |
 |Food for thought,
 |David Pybus
 |
 |-----Original Message-----
 |From: s1gnal_9 [mailto:s1gnal_9 () sunos com]
 |Sent: 15 January 2002 03:41
 |To: vuln-dev () securityfocus com; bugtraq () securityfocus com
 |Subject: Bugs? in Microsoft RDP protocol, & Questions.
 |
 |
 |Today I was doing some research on the RDP protocol on my 
 |Network, I used 2 Windows XP machines. During the 
 |authentication process when MACHINE1 connects to MACHINE2, I 
 |found 3 interesting packets.
 |
 |Packet #1
 |<----SNIP---->
 |G.O.0.N................  
 |<----SNIP---->
 |Above was sent via the system we connect to, go0n is the name 
 |of that computer, So the computer name is sent unencrypted.
 |
 |<----SNIP---->
 |.......5.5.2.7.4.-.6.4.  
 |0.-.0.0.0.0.4.5.1.-.4.3  
 |.0.3.9.................  
 |<----SNIP---->
 |In this tidbit, the remote system also sent the product ID of 
 |the remote operating system, In clear text.
 |
 |
 |Packet #2
 |<----SNIP---->
 |.P"@.2..      
 |.4G..E..J..@.EUR..?.¨.d.¨
 |.e.ë.=¨¬.]P?R&P.ú......
 |..".à.....
 |Cookie: mstshash=go0n.
 |<---SNIP---->
 |Cookie? not sure what that is for.
 |This also sent the computer name in clear text.
 |mstshash? Im not sure what this is either, I'm guessing it 
 |stands for "Microsoft Terminal Services Hash" Does it base 
 |its hash off of the remote users username?
 |
 |Packet #3
 |<----SNIP---->
 |.........\.RSA1H
 |<----SNIP---->
 |This is sent also, MS uses RSA's rc4 encryption. Not that it 
 |seems it would pose a threat, just thought it was interesting.
 |
 |
 |The first two packets are the ones I'm most concerned about.  
 |Instead of getting remote usernames via Netbios protocol, 
 |people can now get the remote computer name via the RDP protocol.
 |
 |The first packet contains the Product ID number, what this 
 |means is remote attacker can find out exactly what the remote 
 |system is running, the most accurate way of remote OS 
 |detection for the latest Windows versions that deploy the RDP 
 |protocol.
 |
 |-- 
 |_______________________________________________
 |Get your free email from http://sunos.com
 |Powered by Instant Portal
 |