RE: Re: Microsoft RDP Priv. Escalation
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Date: Tue, 15 Apr 2008 07:35:28 -0700
So, let me see if I get this right:
You're "unsure" of what the admin may or may not have done regarding
permissions or rights, yet you have no problem with publishing a
"vulnerability in the rdp protocol" touting "privilege escalation"
complete with a trite photo of Bill Gates "praying?"
You are in fact, and by your own admission, "guessing" about what type
of account is used?? This is simply ridiculous.
Sir, may I suggest in the future that you use these forums to first
"learn" what you need to know before immediately posting and publishing
"vulnerability" information regarding technologies that you obviously
don't understand. It's not just that you embarrass yourself, but more
importantly, this type of irresponsible posting only serves to distract
and confuse those who may trust that you are qualified to advise them of
RDP security issues. Did you even bother sending off a note to
secure@microsoft first?
For those of you following along, here's all you have to do to test
this: Log on to the RDP host and set "deny rx" on notepad.exe. Using
MSTSC, select "start program on connect" and use, say, calc.exe. Log on
- you'll see "calc" run. Perfect. Now do the same thing but use
"notepad.exe" instead then logon again - oops! "Access denied." You
can also just save the .rdp file and edit "alternate shell," but it will
do the same thing.
Improperly deployed/secured Terminal Services/Remote Desktop solutions
can indeed introduce serious security issues into your infrastructure.
That's why it is important to do your research before deploying them.
But as a researcher dispensing information on security, it is even more
important for you to perform your technical due diligence in a
professional manner before posting vulnerabilities based on things you
are "unsure" of or "guessing" about. Sorry to sound rude, but things
are hard enough already without adding more FUD.
t
-----------
Check out Tim Mullen's "Microsoft Ninjitsu" training at Blackhat Vegas
2008!
There are also some other great NGS classes available lead by
world-class researchers and trainers.
http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Yousif@xxxxxxxxxxxx
Sent: Sunday, April 13, 2008 9:06 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Re: Microsoft RDP Priv. Escalation
Memet - Alright, how the admin went about disabling access to that
file, im unsure, my guess is, I was using a very limited user account,
and limited meaning, the way Windows limits "those" kind of accounts.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- References:
- Re: Re: Microsoft RDP Priv. Escalation
- From: Yousif
- Re: Re: Microsoft RDP Priv. Escalation
- Prev by Date: SAP - Remote Function Call (RFC) hacking
- Next by Date: Session Hijacking Security
- Previous by thread: Re: Re: Microsoft RDP Priv. Escalation
- Next by thread: Update on the penetration testing directory project
- Index(es):
Relevant Pages
|
|
