Agreed, but it's information leakage at best, giving a sniffer
a good starting place for leveraging a known username on the TS,
and quite possibly the client (as they are often the same across
domains and even Oses).

Dom

 |-----Original Message-----
 |From: Pybus, David [mailto:DPybuscolt-telecom.com]
 |Sent: Wednesday, January 16, 2002 12:05 PM
 |To: 's1gnal_9 '; vuln-devsecurityfocus.com; bugtraqsecurityfocus.com
 |Subject: RE: Bugs? in Microsoft RDP protocol, & Questions.
 |
 |
 |What security level have you set the terminal server to as if
 |it is set to low it will be sending back a lot more than just
 |its machine name unencrypted?
 |
 |Normally you wouldn't expose Terminal Services to the net so
 |exposing things like a machine name are no worse than in the
 |NetBios situation you mentioned. More importantly when
 |exposing a TS machine to the net by default you give anyone
 |who can connect the opportunity to brute force the local
 |administrator account. This has to be prevent by configuring
 |Terminal Services not allow the local admin account to logon
 |and using other accounts instead which can be configure to
 |lock after three failed attempt, or whatever else your policy
 |dictates.
 |
 |Also something I have never seen anything about anywhere is
 |how Terminal Services implements its key generation/exchange.
 |As there is no indication that any type asymetric
 |authentication occurs it seems reasonable to assume that
 |Terminal Services are also probably vulnerable to man in the
 |middle attacks.
 |
 |Food for thought,
 |David Pybus
 |
 |-----Original Message-----
 |From: s1gnal_9 [mailto:s1gnal_9sunos.com]
 |Sent: 15 January 2002 03:41
 |To: vuln-devsecurityfocus.com; bugtraqsecurityfocus.com
 |Subject: Bugs? in Microsoft RDP protocol, & Questions.
 |
 |
 |Today I was doing some research on the RDP protocol on my
 |Network, I used 2 Windows XP machines. During the
 |authentication process when MACHINE1 connects to MACHINE2, I
 |found 3 interesting packets.
 |
 |Packet #1
 |<----SNIP---->
 |G.O.0.N................
 |<----SNIP---->
 |Above was sent via the system we connect to, go0n is the name
 |of that computer, So the computer name is sent unencrypted.
 |
 |<----SNIP---->
 |.......5.5.2.7.4.-.6.4.
 |0.-.0.0.0.0.4.5.1.-.4.3
 |.0.3.9.................
 |<----SNIP---->
 |In this tidbit, the remote system also sent the product ID of
 |the remote operating system, In clear text.
 |
 |
 |Packet #2
 |<----SNIP---->
 |.P".2..
 |.4G..E..J...EUR..?.¨.d.¨
 |.e.ë.=¨¬.]P?R&P.ú......
 |..".à.....
 |Cookie: mstshash=go0n.
 |<---SNIP---->
 |Cookie? not sure what that is for.
 |This also sent the computer name in clear text.
 |mstshash? Im not sure what this is either, I'm guessing it
 |stands for "Microsoft Terminal Services Hash" Does it base
 |its hash off of the remote users username?
 |
 |Packet #3
 |<----SNIP---->
 |.........\.RSA1H
 |<----SNIP---->
 |This is sent also, MS uses RSA's rc4 encryption. Not that it
 |seems it would pose a threat, just thought it was interesting.
 |
 |
 |The first two packets are the ones I'm most concerned about.
 |Instead of getting remote usernames via Netbios protocol,
 |people can now get the remote computer name via the RDP protocol.
 |
 |The first packet contains the Product ID number, what this
 |means is remote attacker can find out exactly what the remote
 |system is running, the most accurate way of remote OS
 |detection for the latest Windows versions that deploy the RDP
 |protocol.
 |
 |--
 |_______________________________________________
 |Get your free email from http://sunos.com
 |Powered by Instant Portal
 |

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]