RE: Remote Desktop/Term. Serv information leakage

From: Ha, Jason (JHa@verisign.com.au)
Date: Sat Jul 02 2005 - 02:23:15 EDT


Hey There,

Actually, you can transfer files directly using RD. >:) If you edit the
connection settings for your given connection, you'll notice a "Local
Resources" tab. There, you can select "Disk Drives" which gives you the
ability to have your hard drive mapped on the remote host. You can then
freely transfer files between the two hosts.

I wouldn't say it's so much of a bug than it is a "feature". Part of the
process assumes that you have some type of valid logon to the remote
host. You can always restrict the level of user authorisation
(preventing them from writing to the local drive, preventing them from
reading certain directories and so forth).

I guess you can bolster additional security by not allowing "anyone" to
connect to the remote host. You mention that it's on an isolated network
which is not connected to the internet, so I assume it's just certain
internal technical staff who can connect to the host? If so, you may be
able to perform source IP restriction at the firewall/router/host level.
If you need something a bit meatier, perhaps use additional levels of
authentication to ensure that it's not possible to password guess or
brute force the host. Perhaps even apply an additional level of
authentication at the firewall/router level before it allows the
connection through to the host? All of these solutions shouldn't be too
costly.

Hope this helps.

Regards,

Jason Ha [CISSP, CCSE, JNCIS-FWV]
Senior Security Engineer,
Security Operations Centre
VeriSign Asia Pacific
 

-----Original Message-----
From: kuffya@gmail.com [mailto:kuffya@gmail.com]
Sent: Saturday, July 02, 2005 12:42 AM
To: pen-test@securityfocus.com
Subject: Remote Desktop/Term. Serv information leakage

Hi list,
One of our recent clients has a seperate 'isolated' network where they
keep sensitive material. This network is not connected to the internet,
is not physically accessible and you can only connect to it using remote
desktop. They asked us to test if the isolated network was adequately
protected.
Here's what I discovered: When you start a Rem Desktop session from the
main network to the isolated one you can actually copy and paste stuff
across...this is only true for text not for complete files, and seems to
be by design. What is more worrisome is that you can even copy across
executables doing simple tricks such as 1)download an executable
2)change extension to .txt
3) copy (the text version) across to a notepad.
4)change it back to .exe
So literally we have a significant leakage over here, introducing
threats to the isolated network.
I am posting this to ask your opinion on how this could be
mitigated......I think that Remote Desktop is not possible to configure
securely since it's not designed as such...and hence it transfers across
anything it receives , be it mouse movements or copied & pasted text...
So I was trying to think what would be the best solution, without
spending a fortune on a 'secure' commercial solution, that is. Maybe
something like SSH tunneling then Rem. Desktop or VNC or what?
And do you think this 'bug' is something investigating any further? Is
it something you people knew of?

Thanks a lot.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:31 EDT