Full Disclosure: Re: Terminal Server vulnerabilities

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Terminal Server vulnerabilities

From: Valdis.Kletnieks () vt edu
Date: Thu, 27 Jan 2005 10:50:54 -0500

On Thu, 27 Jan 2005 09:00:39 +0100, "Nicolas RUFF (lists)" said:

But I would point out something much more important : there are many
more local exploits than remote (on Windows just like any other OS).

Local exploits : about 1-2 a month
* POSIX - OS/2 subsystem exploitation
* Debugging subsystem exploitation (DebPloit)
* 16-bit subsystem exploitation (NTVDM)
* Shatter Attacks
* Etc.

Remote exploits : about once a year
* RPC/DCOM (blaster)
* LSASS (sasser)

Basically, if you are logged in as an unpriviledged user on a Terminal
Server, you can easily become SYSTEM. If this Terminal Server is also a 
Domain Controller, game over.


You forgot one important factor - the use of IE and Outlook for the fast
direct-to-customer delivery of local exploits.  Which *also* results in
a Game Over....

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

By Date By Thread

Current thread:

Re: [lists] Terminal Server vulnerabilities, (continued)
- Re: Terminal Server vulnerabilities Nicolas RUFF (lists) (Jan 27)
  - Re: Terminal Server vulnerabilities Valdis . Kletnieks (Jan 27)
- Re: Terminal Server vulnerabilities Daniel H. Renner (Jan 24)
  - RE: Re: Terminal Server vulnerabilities Larry Seltzer (Jan 25)
  - Re: Terminal Server vulnerabilities offtopic (Jan 25)
- RE: Re: Terminal Server vulnerabilities Mark Senior (Jan 25)
  - RE: Re: Terminal Server vulnerabilities Larry Seltzer (Jan 25)