Penetration Testing mailing list archives

RE: RE: Microsoft RDP Priv. Escalation

From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Wed, 9 Apr 2008 12:08:11 -0700

"Alternate Shell" simply launches a program on connect within the
context of the logged on user.  It's the exact same thing as going to
the "Programs" tab of mstsc and checking "Start the following program on
connection."  There is no privileged escalation - the app runs in the
context of the user specified.  It's a simple as that.

This doesn't "get around" any permissions.  You can't "execute programs
you normally couldn't execute."  If you are executing programs, then you
have the permission to do so.

t

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Yousif () Vapt-Sec com
Sent: Tuesday, April 08, 2008 8:04 PM
To: pen-test () securityfocus com
Subject: Re: RE: Microsoft RDP Priv. Escalation

Thor - Did you consider trying this out or did you merely read?
Uploading .RDP files for direct access via the web is obviously wrong,
but that's beyond the point of this entire insecurity, and you my
friend are not comprehending it. The information about the insecurity
isn't illegal as I did not use valid information from any .RDP
connection file. The cmd.exe thing is simply an example. Other
applications that wouldn't normally execute can be executed with this
as well. The escalation is the ability to run applications you
shouldn't be able to with such an account. It's under the privileges

of

the user, but the idea is, those privileges don't allow you to execute
certain programs. Through that, you can.

-----------------------------------------------------------------------

-
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads

-----------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Re: Computer Security Videos, (continued)
- - - Re: Computer Security Videos Dotzero (Apr 09)
    - Re: Computer Security Videos Nathan Sportsman (Apr 09)
    - Re: Computer Security Videos Leonardo Cavallari Militelli (Apr 09)
    - Re: Computer Security Videos Paul Asadoorian (Apr 09)
    - Re: Computer Security Videos Jon R. Kibler (Apr 09)
    - RE: Computer Security Videos Timmothy Lester (Apr 09)
    - Re: Computer Security Videos CJ (Apr 09)
    - Re: Computer Security Videos Hugo Fortier (Apr 09)
    - Re: Computer Security Videos Tim Tiernan (Apr 11)
  - Re: Microsoft RDP Priv. Escalation Memet Anwar (Apr 09)
  - RE: RE: Microsoft RDP Priv. Escalation Thor (Hammer of God) (Apr 09)
- Re: Re: Microsoft RDP Priv. Escalation Yousif (Apr 13)
  - RE: Re: Microsoft RDP Priv. Escalation Thor (Hammer of God) (Apr 16)