What security level have you set the terminal server to as if it is set to low it will be sending back a lot more than just its machine name unencrypted? Normally you wouldn't expose Terminal Services to the net so exposing things like a machine name are no worse than in the NetBios situation you mentioned. More importantly when exposing a TS machine to the net by default you give anyone who can connect the opportunity to brute force the local administrator account. This has to be prevent by configuring Terminal Services not allow the local admin account to logon and using other accounts instead which can be configure to lock after three failed attempt, or whatever else your policy dictates. Also something I have never seen anything about anywhere is how Terminal Services implements its key generation/exchange. As there is no indication that any type asymetric authentication occurs it seems reasonable to assume that Terminal Services are also probably vulnerable to man in the middle attacks. Food for thought, David Pybus -----Original Message----- From: s1gnal_9 [mailto:s1gnal_9at_private] Sent: 15 January 2002 03:41 To: vuln-devat_private; bugtraqat_private Subject: Bugs? in Microsoft RDP protocol, & Questions. Today I was doing some research on the RDP protocol on my Network, I used 2 Windows XP machines. During the authentication process when MACHINE1 connects to MACHINE2, I found 3 interesting packets. Packet #1 <----SNIP----> G.O.0.N................ <----SNIP----> Above was sent via the system we connect to, go0n is the name of that computer, So the computer name is sent unencrypted. <----SNIP----> .......5.5.2.7.4.-.6.4. 0.-.0.0.0.0.4.5.1.-.4.3 .0.3.9................. <----SNIP----> In this tidbit, the remote system also sent the product ID of the remote operating system, In clear text. Packet #2 <----SNIP----> .P"@.2.. .4G..E..J..@.EUR..?.¨.d.¨ .e.ë.=¨¬.]P?R&P.ú...... ..".à..... Cookie: mstshash=go0n. <---SNIP----> Cookie? not sure what that is for. This also sent the computer name in clear text. mstshash? Im not sure what this is either, I'm guessing it stands for "Microsoft Terminal Services Hash" Does it base its hash off of the remote users username? Packet #3 <----SNIP----> .........\.RSA1H <----SNIP----> This is sent also, MS uses RSA's rc4 encryption. Not that it seems it would pose a threat, just thought it was interesting. The first two packets are the ones I'm most concerned about. Instead of getting remote usernames via Netbios protocol, people can now get the remote computer name via the RDP protocol. The first packet contains the Product ID number, what this means is remote attacker can find out exactly what the remote system is running, the most accurate way of remote OS detection for the latest Windows versions that deploy the RDP protocol. -- _______________________________________________ Get your free email from http://sunos.com Powered by Instant Portal
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 15:57:37 PST