|
Full Disclosure
mailing list archives
Re: Terminal Server vulnerabilities
From: "Nicolas RUFF (lists)" <ruff.lists () edelweb fr>
Date: Thu, 27 Jan 2005 09:00:39 +0100
Hello,
I agree with everyone that TS is prone to MiTM attacks, since there is
no server authentication at all.
Have a look at RDESKTOP sources and you will see a plaintext key
exchange at the beginning of the TS session. I suspect this key is
related to the L$HYDRAENCKEY_xxx LSA secret. Building a transparent "RDP
proxy" with on-the-fly decryption seems feasible.
And don't even think on using the "encryption : low" setting !
But I would point out something much more important : there are many
more local exploits than remote (on Windows just like any other OS).
Local exploits : about 1-2 a month
* POSIX - OS/2 subsystem exploitation
* Debugging subsystem exploitation (DebPloit)
* 16-bit subsystem exploitation (NTVDM)
* Shatter Attacks
* Etc.
Remote exploits : about once a year
* RPC/DCOM (blaster)
* LSASS (sasser)
Basically, if you are logged in as an unpriviledged user on a Terminal
Server, you can easily become SYSTEM. If this Terminal Server is also a
Domain Controller, game over.
Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail: nicolas.ruff (at) edelweb.fr
-----------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- RE: [lists] Terminal Server vulnerabilities, (continued)
Re: [lists] Terminal Server vulnerabilities Jonathan Rickman (Jan 26)
Re: Terminal Server vulnerabilities Nicolas RUFF (lists) (Jan 27)
Re: Terminal Server vulnerabilities Daniel H. Renner (Jan 24)
RE: Re: Terminal Server vulnerabilities Mark Senior (Jan 25)
|
Intro
