Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE:XP Remote Desktop Remote Activation
From: "RandallM" <randallm () fidmail com>
Date: Sat, 2 Oct 2004 12:56:24 -0500

Would access to command shell be accomplished via the recent ZoneID hole if
such Administration password access is not available? Or perhaps even with
the launching
Of the MS04-028 exploit? Of course any Terminal usage on home pc's are
noticed because users
are locked out. Now terminal servers are a differnet story but user
intervention is still needed.

thank you
Randall M

<|>Message: 3
<|>Date: Fri, 1 Oct 2004 23:50:45 -0500
<|>From: Fixer <fixer907 () gmail com>
<|>Reply-To: Fixer <fixer907 () gmail com>
<|>To: full-disclosure () lists netsys com
<|>Subject: [Full-disclosure] XP Remote Desktop Remote Activation
<|>Content-Type: text/plain; charset=US-ASCII
<|>Content-Transfer-Encoding: 7bit
<|>Content-Disposition: inline
<|>XP Remote Desktop Remote Activation
<|>Windows XP Professional provides a service called Remote Desktop,
<|>which allows a user to remotely control the desktop as if he or she
<|>were in front of the system locally (ala VNC, pcAnywhere, etc.).
<|>By default, Remote Desktop is shipped with this service 
<|>turned off and
<|>only the Administrator is allowed access to this service.  It is
<|>possible, however, to modify a series of registry keys that may allow
<|>a malicious user who has already gained a command shell to activate
<|>Remote Desktop and add a user they have created for 
<|>themselves as well
<|>as to hide that user so that it will not show up as a user in the
<|>Remote Desktop user list.  The instructions for this are attached. 
<|>Additionally, I have listed a sample .reg file of the type that is
<|>discussed in the instructions below.


<|>Message: 6
<|>From: "Dominick Baier" <seclists () leastprivilege com>
<|>To: "'Fixer'" <fixer907 () gmail com>, 
<|><full-disclosure () lists netsys com>
<|>Subject: RE: [Full-disclosure] XP Remote Desktop Remote Activation
<|>Date: Sat, 2 Oct 2004 17:43:11 +0200
<|>if you have an administrator password for the machine you 
<|>can just use WMIC
<|>to turn remote desktop on.
<|>wmic /NODE:Server /USER:administrator RDTOGGLE WHERE 
<|>CALL SetAllowTSConnections 1
<|>End of Full-Disclosure Digest

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]