Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

RE: RE: Microsoft RDP Priv. Escalation
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Wed, 9 Apr 2008 12:08:11 -0700
"Alternate Shell" simply launches a program on connect within the
context of the logged on user.  It's the exact same thing as going to
the "Programs" tab of mstsc and checking "Start the following program on
connection."  There is no privileged escalation - the app runs in the
context of the user specified.  It's a simple as that.

This doesn't "get around" any permissions.  You can't "execute programs
you normally couldn't execute."  If you are executing programs, then you
have the permission to do so.

t


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Yousif () Vapt-Sec com
Sent: Tuesday, April 08, 2008 8:04 PM
To: pen-test () securityfocus com
Subject: Re: RE: Microsoft RDP Priv. Escalation

Thor - Did you consider trying this out or did you merely read?
Uploading .RDP files for direct access via the web is obviously wrong,
but that's beyond the point of this entire insecurity, and you my
friend are not comprehending it. The information about the insecurity
isn't illegal as I did not use valid information from any .RDP
connection file. The cmd.exe thing is simply an example. Other
applications that wouldn't normally execute can be executed with this
as well. The escalation is the ability to run applications you
shouldn't be able to with such an account. It's under the privileges

of

the user, but the idea is, those privileges don't allow you to execute
certain programs. Through that, you can.



-----------------------------------------------------------------------

-
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads


-----------------------------------------------------------------------

-



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]