Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Terminal Server vulnerabilities

from [Nicolas RUFF (lists)] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Terminal Server vulnerabilities
Date: Thu, 27 Jan 2005 09:00:39 +0100 
        Hello,

I agree with everyone that TS is prone to MiTM attacks, since there is no server authentication at all.

Have a look at RDESKTOP sources and you will see a plaintext key exchange at the beginning of the TS session. I suspect this key is related to the L$HYDRAENCKEY_xxx LSA secret. Building a transparent "RDP proxy" with on-the-fly decryption seems feasible.

And don't even think on using the "encryption : low" setting !


But I would point out something much more important : there are many
more local exploits than remote (on Windows just like any other OS).

Local exploits : about 1-2 a month
* POSIX - OS/2 subsystem exploitation
* Debugging subsystem exploitation (DebPloit)
* 16-bit subsystem exploitation (NTVDM)
* Shatter Attacks
* Etc.

Remote exploits : about once a year
* RPC/DCOM (blaster)
* LSASS (sasser)

Basically, if you are logged in as an unpriviledged user on a Terminal
Server, you can easily become SYSTEM. If this Terminal Server is also a Domain Controller, game over.

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail: nicolas.ruff (at) edelweb.fr
-----------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] spoolcll.exe - new worm being distributed via mysql vulnerability?, Mike Bailey
Next by Date:  [Full-Disclosure] Delivery by mail, Martin.pitt
Previous by Thread:  Re: [lists] [Full-Disclosure] Terminal Server vulnerabilities, Jonathan Rickman
Next by Thread:  Re: [Full-Disclosure] Terminal Server vulnerabilities, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]