Cheers for that, I take it back that I haven't found an vulnerability :(, but by default this isn't enabled which is scary !!
On Fri, Mar 26, 2010 at 9:57 AM, Mr. Hinky Dink <[email protected]>wrote: > There is a section in RCP-Tcp Properties on the server under > "Environment" for "Do not allow an initial program to be launched. Always > show the desktop". > > > ----- Original Message ----- > *From:* wicked clown <[email protected]> > *To:* [email protected] > *Sent:* Friday, March 26, 2010 5:04 AM > *Subject:* [Full-disclosure] Possible RDP vulnerability > > Hi Guys, > > > > I think I possible may have found a vulnerability with using RDP / Terminal > services on windows 2003. > > > > If you lock down a server and only allow users who connect to your RDP > connection to run certain applications, users can bypass this and run ANY > application they want. You can do this by modifying the RDP profile / > shortcut and add your application to the alternate shell and the shell > working directory. > > > > When the user connects now to the RDP server the banned application will > execute upon logging on even though the user isn’t allowed to execute the > application if the user logs on normally. This doesn’t work with cmd.exe but > I have been able to execute internet explorer, down a modified cmd version, > modify the RDP profile to execute the new cmd and it works like a charm. > > > > I have only been able to tested this on windows 2003 using a local policy > and works like a treat. Even in the wild! > > > > I have done a quick basic video which can been seen here; > > http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf > > > > Instead of modifying the RDP profile, I just added my application to the > program tab.. I know the video is crappy but it’s just meant to give you an > idea what I am talking about :) > > > > So in short, if anybody can access your server via RDP they are NOT > restricted by the policy. I would be interested in any feed back about this > possible exploit / vulnerability even if you don’t think it is.. or even > better if someone knows how to defend againest it!! LOL! :) > > > Cheers > > Wicked Clown. > > ------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
