Agreed, but it's information leakage at best, giving a sniffer a good starting place for leveraging a known username on the TS, and quite possibly the client (as they are often the same across domains and even Oses). Dom |-----Original Message----- |From: Pybus, David [mailto:DPybus@colt-telecom.com] |Sent: Wednesday, January 16, 2002 12:05 PM |To: 's1gnal_9 '; vuln-devat_private; bugtraqat_private |Subject: RE: Bugs? in Microsoft RDP protocol, & Questions. | | |What security level have you set the terminal server to as if |it is set to low it will be sending back a lot more than just |its machine name unencrypted? | |Normally you wouldn't expose Terminal Services to the net so |exposing things like a machine name are no worse than in the |NetBios situation you mentioned. More importantly when |exposing a TS machine to the net by default you give anyone |who can connect the opportunity to brute force the local |administrator account. This has to be prevent by configuring |Terminal Services not allow the local admin account to logon |and using other accounts instead which can be configure to |lock after three failed attempt, or whatever else your policy |dictates. | |Also something I have never seen anything about anywhere is |how Terminal Services implements its key generation/exchange. |As there is no indication that any type asymetric |authentication occurs it seems reasonable to assume that |Terminal Services are also probably vulnerable to man in the |middle attacks. | |Food for thought, |David Pybus | |-----Original Message----- |From: s1gnal_9 [mailto:s1gnal_9at_private] |Sent: 15 January 2002 03:41 |To: vuln-devat_private; bugtraqat_private |Subject: Bugs? in Microsoft RDP protocol, & Questions. | | |Today I was doing some research on the RDP protocol on my |Network, I used 2 Windows XP machines. During the |authentication process when MACHINE1 connects to MACHINE2, I |found 3 interesting packets. | |Packet #1 |<----SNIP----> |G.O.0.N................ |<----SNIP----> |Above was sent via the system we connect to, go0n is the name |of that computer, So the computer name is sent unencrypted. | |<----SNIP----> |.......5.5.2.7.4.-.6.4. |0.-.0.0.0.0.4.5.1.-.4.3 |.0.3.9................. |<----SNIP----> |In this tidbit, the remote system also sent the product ID of |the remote operating system, In clear text. | | |Packet #2 |<----SNIP----> |.P"@.2.. |.4G..E..J..@.EUR..?.¨.d.¨ |.e.ë.=¨¬.]P?R&P.ú...... |..".à..... |Cookie: mstshash=go0n. |<---SNIP----> |Cookie? not sure what that is for. |This also sent the computer name in clear text. |mstshash? Im not sure what this is either, I'm guessing it |stands for "Microsoft Terminal Services Hash" Does it base |its hash off of the remote users username? | |Packet #3 |<----SNIP----> |.........\.RSA1H |<----SNIP----> |This is sent also, MS uses RSA's rc4 encryption. Not that it |seems it would pose a threat, just thought it was interesting. | | |The first two packets are the ones I'm most concerned about. |Instead of getting remote usernames via Netbios protocol, |people can now get the remote computer name via the RDP protocol. | |The first packet contains the Product ID number, what this |means is remote attacker can find out exactly what the remote |system is running, the most accurate way of remote OS |detection for the latest Windows versions that deploy the RDP |protocol. | |-- |_______________________________________________ |Get your free email from http://sunos.com |Powered by Instant Portal |
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 13:09:08 PST