Penetration Testing mailing list archives
Re: Remote Desktop/Term. Serv information leakage
From: Joachim Schipper <j.schipper () math uu nl>
Date: Fri, 1 Jul 2005 17:55:38 +0200
On Fri, Jul 01, 2005 at 02:41:45PM -0000, kuffya () gmail com wrote:
Hi list, One of our recent clients has a seperate 'isolated' network where they keep sensitive material. This network is not connected to the internet, is not physically accessible and you can only connect to it using remote desktop. They asked us to test if the isolated network was adequately protected. Here's what I discovered: When you start a Rem Desktop session from the main network to the isolated one you can actually copy and paste stuff across...this is only true for text not for complete files, and seems to be by design. What is more worrisome is that you can even copy across executables doing simple tricks such as 1)download an executable 2)change extension to .txt 3) copy (the text version) across to a notepad. 4)change it back to .exe So literally we have a significant leakage over here, introducing threats to the isolated network. I am posting this to ask your opinion on how this could be mitigated......I think that Remote Desktop is not possible to configure securely since it's not designed as such...and hence it transfers across anything it receives , be it mouse movements or copied & pasted text... So I was trying to think what would be the best solution, without spending a fortune on a 'secure' commercial solution, that is. Maybe something like SSH tunneling then Rem. Desktop or VNC or what? And do you think this 'bug' is something investigating any further? Is it something you people knew of? Thanks a lot.
Hi, this is a well-known feature of most/many VNC systems (and RDesktop is pretty much the same as a VNC system). What are they trying to protect from? External hackers trying to gain access to the data? Malicious employees (who do have legitimate access)? Snooping attackers? People brute forcing their way in? SSL can help against the last two problems (certificate-based authentication is very difficult to brute-force!), but is worth nothing against the second. And only a little against the first, because the 'secured' network really isn't much more secure than the computers used to access it. And bouncing the attack is not beyond a sophisticated attacker... Being able to copy data to and from the systems is pretty much implied in granting access. In the worst case, you can just 'copy' stuff by typing (to) or even just memorizing (from). And yes, you can transfer executables this way, many text processors allow entering arbitrary character codes and hex editors aren't exactly uncommon. If we are talking a high-security network, one should ask oneself if users need the power to make stuff executable. Depending on your OS, it should be possible to deny them this privilige. If you are going all the way, deny them write privileges to anything - because text files could, with some work, be filled with executable content and then made executable. Joachim
Current thread:
- Remote Desktop/Term. Serv information leakage kuffya (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Joachim Schipper (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Eric Smith (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Kyle Maxwell (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Terry Vernon (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Joachim Schipper (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Paul Fields (Jul 01)
- Re: Remote Desktop/Term. Serv information leakage Thor (Hammer of God) (Jul 01)
- <Possible follow-ups>
- RE: Remote Desktop/Term. Serv information leakage Andre Protas (Jul 01)
- RE: Remote Desktop/Term. Serv information leakage Ha, Jason (Jul 02)
- Re: Remote Desktop/Term. Serv Information leakage kuffya (Jul 02)
- RE: Remote Desktop/Term. Serv Information leakage Paul Fields (Jul 05)
(Thread continues...)