Vulnerability Development mailing list archives

Re: Bugs? in Microsoft RDP protocol, & Questions.

From: "Patrick Chambet" <patrick.chambet () edelweb fr>
Date: Fri, 18 Jan 2002 15:43:37 +0100

The data sent over the network doesn't seem to depend on the security
level you have configured on your Terminal Server: the data is sent
before the encrypted phase begins (before the session key negotiation).

You can see in clear text the client name and the server license ID root
(52310-005-2479922-00001 instead of 52310-005-2479922-04749 for
example), but also the server domain, the server name and the server IP
address after the "ncacn_np:" named pipe keyword:

ncacn_np:194.41.26.111

You can also observe some data that look like a public key exchange.

For more information about exchanged data, you can try to get the
Microsoft RDP specification document. This document isn't public and I
don't have it yet: see
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/rd
pspec.asp

Or you can look at the rdesktop source code:
http://www.rdesktop.org

___________________________________________
Patrick Chambet - MCP
IT Security Consulting
EdelWeb - ON-X Consulting Group
http://www.edelweb.fr - http://www.on-x.com


----- Original Message -----
From: "Pybus, David" <DPybus () colt-telecom com>


What security level have you set the terminal server to as if it is set
to
low it will be sending back a lot more than just its machine name
unencrypted?

Normally you wouldn't expose Terminal Services to the net so exposing
things
like a machine name are no worse than in the NetBios situation you
mentioned. More importantly when exposing a TS machine to the net by
default
you give anyone who can connect the opportunity to brute force the local
administrator account. This has to be prevent by configuring Terminal
Services not allow the local admin account to logon and using other
accounts
instead which can be configure to lock after three failed attempt, or
whatever else your policy dictates.

Also something I have never seen anything about anywhere is how Terminal
Services implements its key generation/exchange. As there is no
indication
that any type asymetric authentication occurs it seems reasonable to
assume
that Terminal Services are also probably vulnerable to man in the middle
attacks.

Food for thought,
David Pybus

Current thread:

Bugs? in Microsoft RDP protocol, & Questions. s1gnal_9 (Jan 14)
- <Possible follow-ups>
- RE: Bugs? in Microsoft RDP protocol, & Questions. Pybus, David (Jan 16)
  - RE: Bugs? in Microsoft RDP protocol, & Questions. Dom De Vitto (Jan 17)
  - Re: Bugs? in Microsoft RDP protocol, & Questions. Patrick Chambet (Jan 19)