RE: RE: Microsoft RDP Priv. Escalation

From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Wed Apr 09 2008 - 15:08:11 EDT

• Next message: Memet Anwar: "Re: Microsoft RDP Priv. Escalation"
• Previous message: Paul Asadoorian: "Re: Computer Security Videos"
• In reply to: Yousif@Vapt-Sec.com: "Re: RE: Microsoft RDP Priv. Escalation"
• Next in thread: Memet Anwar: "Re: Microsoft RDP Priv. Escalation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

"Alternate Shell" simply launches a program on connect within the
context of the logged on user. It's the exact same thing as going to
the "Programs" tab of mstsc and checking "Start the following program on
connection." There is no privileged escalation - the app runs in the
context of the user specified. It's a simple as that.

This doesn't "get around" any permissions. You can't "execute programs
you normally couldn't execute." If you are executing programs, then you
have the permission to do so.

t

> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Yousif@Vapt-Sec.com
> Sent: Tuesday, April 08, 2008 8:04 PM
> To: pen-test@securityfocus.com
> Subject: Re: RE: Microsoft RDP Priv. Escalation
>
> Thor - Did you consider trying this out or did you merely read?
> Uploading .RDP files for direct access via the web is obviously wrong,
> but that's beyond the point of this entire insecurity, and you my
> friend are not comprehending it. The information about the insecurity
> isn't illegal as I did not use valid information from any .RDP
> connection file. The cmd.exe thing is simply an example. Other
> applications that wouldn't normally execute can be executed with this
> as well. The escalation is the ability to run applications you
> shouldn't be able to with such an account. It's under the privileges
of
> the user, but the idea is, those privileges don't allow you to execute
> certain programs. Through that, you can.
>
>
-----------------------------------------------------------------------
> -
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
>
-----------------------------------------------------------------------
> -

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

• Next message: Memet Anwar: "Re: Microsoft RDP Priv. Escalation"
• Previous message: Paul Asadoorian: "Re: Computer Security Videos"
• In reply to: Yousif@Vapt-Sec.com: "Re: RE: Microsoft RDP Priv. Escalation"
• Next in thread: Memet Anwar: "Re: Microsoft RDP Priv. Escalation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:30 EDT