Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Possible RDP vulnerability
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Fri, 26 Mar 2010 14:13:32 +0000

There's nothing "scary" about it.   I believe you are incorrectly asserting that the inclusion of the "start the 
following program on connection" has something to do with "locking down the server" and/or "only allow(ing) users who 
connect to your server to run certain applications."   I would suggest that you study up on what RDP is and how it 
works before posting things like this.

Consider "locking down RDP" a process similar to "locking down a local host."  Use permissions and other host/OS based 
controls to secure what a user can and can't do on a host.

t



From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
wicked clown
Sent: Friday, March 26, 2010 3:33 AM
To: Full-Disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Possible RDP vulnerability

Cheers for that,

I take it back that I haven't found an vulnerability :(, but by default this isn't enabled which is scary !!


On Fri, Mar 26, 2010 at 9:57 AM, Mr. Hinky Dink <dink () mrhinkydink com<mailto:dink () mrhinkydink com>> wrote:
There is a section in RCP-Tcp Properties on the server under "Environment" for "Do not allow an initial program to be 
launched.  Always show the desktop".

----- Original Message -----
From: wicked clown<mailto:wickedclownuk () googlemail com>
To: Full-Disclosure () lists grok org uk<mailto:Full-Disclosure () lists grok org uk>
Sent: Friday, March 26, 2010 5:04 AM
Subject: [Full-disclosure] Possible RDP vulnerability

Hi Guys,

I think I possible may have found a vulnerability with using RDP / Terminal services on windows 2003.

If you lock down a server and only allow users who connect to your RDP connection to run certain applications, users 
can bypass this and run ANY application they want. You can do this by modifying the RDP profile / shortcut and add your 
application to the alternate shell and the shell working directory.

When the user connects now to the RDP server the banned application will execute upon logging on even though the user 
isn't allowed to execute the application if the user logs on normally. This doesn't work with cmd.exe but I have been 
able to execute internet explorer, down a modified cmd version, modify the RDP profile to execute the new cmd and it 
works like a charm.

I have only been able to tested this on windows 2003 using a local policy and works like a treat. Even in the wild!

I have done a quick basic video which can been seen here;
http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf

Instead of modifying the RDP profile, I just added my application to the program tab.. I know the video is crappy but 
it's just meant to give you an idea what I am talking about :)

So in short, if anybody can access your server via RDP they are NOT restricted by the policy. I would be interested in 
any feed back about this possible exploit / vulnerability even if you don't think it is.. or even better if someone 
knows how to defend againest it!! LOL! :)

Cheers

Wicked Clown.
________________________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault