Thank you for your comment. What I was referring to it being scary is that if you create a locked down group policy that is tighter than a ducks bum and you forget that single tick (I admit I didn't knew of that option and I bet lots of other people didn't know about it) you leave your system to total pwnage!! It's simple mistakes like that which compromises systems.
If I found this before MS10-015 patch was released I could of download that exploit and gain system level permission, so no user based permission or access control would of stopped me. On Fri, Mar 26, 2010 at 2:13 PM, Thor (Hammer of God) <[email protected]>wrote: > There’s nothing “scary” about it. I believe you are incorrectly asserting > that the inclusion of the “start the following program on connection” has > something to do with “locking down the server” and/or “only allow(ing) users > who connect to your server to run certain applications.” I would suggest > that you study up on what RDP is and how it works before posting things like > this. > > > > Consider “locking down RDP” a process similar to “locking down a local > host.” Use permissions and other host/OS based controls to secure what a > user can and can’t do on a host. > > > > t > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *wicked clown > *Sent:* Friday, March 26, 2010 3:33 AM > > *To:* [email protected] > *Subject:* Re: [Full-disclosure] Possible RDP vulnerability > > > > Cheers for that, > > I take it back that I haven't found an vulnerability :(, but by default > this isn't enabled which is scary !! > > > On Fri, Mar 26, 2010 at 9:57 AM, Mr. Hinky Dink <[email protected]> > wrote: > > There is a section in RCP-Tcp Properties on the server under "Environment" > for "Do not allow an initial program to be launched. Always show the > desktop". > > > > ----- Original Message ----- > > *From:* wicked clown <[email protected]> > > *To:* [email protected] > > *Sent:* Friday, March 26, 2010 5:04 AM > > *Subject:* [Full-disclosure] Possible RDP vulnerability > > > > Hi Guys, > > > > I think I possible may have found a vulnerability with using RDP / Terminal > services on windows 2003. > > > > If you lock down a server and only allow users who connect to your RDP > connection to run certain applications, users can bypass this and run ANY > application they want. You can do this by modifying the RDP profile / > shortcut and add your application to the alternate shell and the shell > working directory. > > > > When the user connects now to the RDP server the banned application will > execute upon logging on even though the user isn’t allowed to execute the > application if the user logs on normally. This doesn’t work with cmd.exe but > I have been able to execute internet explorer, down a modified cmd version, > modify the RDP profile to execute the new cmd and it works like a charm. > > > > I have only been able to tested this on windows 2003 using a local policy > and works like a treat. Even in the wild! > > > > I have done a quick basic video which can been seen here; > > http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf > > > > Instead of modifying the RDP profile, I just added my application to the > program tab.. I know the video is crappy but it’s just meant to give you an > idea what I am talking about :) > > > > So in short, if anybody can access your server via RDP they are NOT > restricted by the policy. I would be interested in any feed back about this > possible exploit / vulnerability even if you don’t think it is.. or even > better if someone knows how to defend againest it!! LOL! :) > > > > Cheers > > Wicked Clown. > ------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
