Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Dom De Vitto (DomDeVitto.com)
Date: Thu Jan 17 2002 - 14:24:31 CST
Agreed, but it's information leakage at best, giving a sniffer
a good starting place for leveraging a known username on the TS,
and quite possibly the client (as they are often the same across
domains and even Oses).
|From: Pybus, David [mailto:DPybuscolt-telecom.com]
|Sent: Wednesday, January 16, 2002 12:05 PM
|To: 's1gnal_9 '; vuln-devsecurityfocus.com; bugtraqsecurityfocus.com
|Subject: RE: Bugs? in Microsoft RDP protocol, & Questions.
|What security level have you set the terminal server to as if
|it is set to low it will be sending back a lot more than just
|its machine name unencrypted?
|Normally you wouldn't expose Terminal Services to the net so
|exposing things like a machine name are no worse than in the
|NetBios situation you mentioned. More importantly when
|exposing a TS machine to the net by default you give anyone
|who can connect the opportunity to brute force the local
|administrator account. This has to be prevent by configuring
|Terminal Services not allow the local admin account to logon
|and using other accounts instead which can be configure to
|lock after three failed attempt, or whatever else your policy
|Also something I have never seen anything about anywhere is
|how Terminal Services implements its key generation/exchange.
|As there is no indication that any type asymetric
|authentication occurs it seems reasonable to assume that
|Terminal Services are also probably vulnerable to man in the
|Food for thought,
|From: s1gnal_9 [mailto:s1gnal_9sunos.com]
|Sent: 15 January 2002 03:41
|To: vuln-devsecurityfocus.com; bugtraqsecurityfocus.com
|Subject: Bugs? in Microsoft RDP protocol, & Questions.
|Today I was doing some research on the RDP protocol on my
|Network, I used 2 Windows XP machines. During the
|authentication process when MACHINE1 connects to MACHINE2, I
|found 3 interesting packets.
|Above was sent via the system we connect to, go0n is the name
|of that computer, So the computer name is sent unencrypted.
|In this tidbit, the remote system also sent the product ID of
|the remote operating system, In clear text.
|Cookie? not sure what that is for.
|This also sent the computer name in clear text.
|mstshash? Im not sure what this is either, I'm guessing it
|stands for "Microsoft Terminal Services Hash" Does it base
|its hash off of the remote users username?
|This is sent also, MS uses RSA's rc4 encryption. Not that it
|seems it would pose a threat, just thought it was interesting.
|The first two packets are the ones I'm most concerned about.
|Instead of getting remote usernames via Netbios protocol,
|people can now get the remote computer name via the RDP protocol.
|The first packet contains the Product ID number, what this
|means is remote attacker can find out exactly what the remote
|system is running, the most accurate way of remote OS
|detection for the latest Windows versions that deploy the RDP
|Get your free email from http://sunos.com
|Powered by Instant Portal