Comments on: Remote Desktop Command Fixation Attacks

By: Changlinn

Changlinn — Sun, 11 May 2008 13:11:20 +0000

Most terminal servers I set up are restricted too, so the user can’t run cmd.exe and evil.exe, only a set of programs specified… of course one of those because of business requirements is Internet Explorer, so game over right there. It is an interesting exploit, but not one that would necessarily work 100% of the time. Could you just MIM them, ie change the citrix/rdp to connect to a server on your network through port 443, then you redirect and capture their user/pass.

By: Live Mesh - Good or Bad Idea? | GNUCITIZEN

Live Mesh - Good or Bad Idea? | GNUCITIZEN — Sun, 04 May 2008 18:35:49 +0000

[...] the video on Channel 10 suggest, It bypasses the firewall! Now this is interesting. I wonder how my RDP shell injection attack will work [...]

By: Rogers

Rogers — Fri, 19 Oct 2007 10:21:10 +0000

Isn’t most Citrix-servers set up to NOT allow users to install or execute unknown applications? Will the user be allowed to execute cmd.exe and download and run an unknown file?

By: Scott

Scott — Mon, 15 Oct 2007 16:36:12 +0000

An easy way to defend this is with an IPS that will shun RDP traffic on 3389 or detecting RDP over a non standard port.

There is a rule on Bleeding Snort to do this.

By: pdp

pdp — Mon, 15 Oct 2007 09:08:39 +0000

Der Klempner, here are two pictures that explain how the attack works in the most basic form:

is it clearer now?

By: Der Klempner

Der Klempner — Mon, 15 Oct 2007 07:40:37 +0000

I’am a little curious - why should my firewall policies allow to forward such outbound connections - and moreover - why should i expose my rdp/ica servers without additional protection (e.g. VPN/certificates) to the outside.

Security comes with layers of it.

Der Klempner

By: pdp

pdp — Sat, 13 Oct 2007 08:45:04 +0000

LonerVamp, I am putting a post now, which explains everything in more detail. Thanks.

By: LonerVamp

LonerVamp — Fri, 12 Oct 2007 18:12:17 +0000

If you truly believe security in depth (defense in depth is the common usage), then what are you envisioning? That we have one perfect security measure that is unbreakable? I’m not sure about you, but with the rest of the security industry, it is pretty accepted that there is no silver bullet.

We need and will always need layered defense in order to protect data and systems when one layer is thwarted.

You might say that people will always be a weak link, and that could be true even in an environment with security in depth. In fact, security in depth is even more needed due to the human factor. If people can make stupid mistakes, put up roadblocks, nets, and pointy objects in their way so they don’t stupidly make those mistakes…

Perhaps you have a different definition of “security in depth,” in which case I beg that you explain it so that everyone can move beyond focusing on that statement. Maybe we’re really on the same page and just have different meanings to this rather common security term…

By: d4brain

d4brain — Thu, 11 Oct 2007 21:36:54 +0000

Hey, so great Image at the Top ;)And the tricks and infos too…

By: Larry Seltzer

Larry Seltzer — Thu, 11 Oct 2007 00:20:14 +0000

Before I saw rkd’s message I went to test the Outlook attachment stripping on Outlook 2003 and it does not strip .rdp files.

I see that the attack has a hard IP address in it, and of course the attacker would need to know either a name or address. In a corporation this is likely to be a gateway I guess and not a big secret.

I also noticed the “working directory:s:C:\”. Some of us don’t have download and execute rights in our root directories. Is there a more elegant approach to this? Is %TEMP% supported here?

By: fazed

fazed — Wed, 10 Oct 2007 19:37:45 +0000

hey i posted about something like this on my blog:
http://fazed-darkstar.blogspot.com/2007/10/phishing-windows-passwords-with-citrix.html

it basically rely’s on social engineering.
but this is a bit more indepth, nice!

By: mvs

mvs — Wed, 10 Oct 2007 19:32:25 +0000

Any email that urges you to “click this” is a potential attack vector. The barn door was opened when email morphed beyond delivering plain ASCII text. The solution is to block any email that is not plain ASCII. Since users cry when you take their candy away, computers will never be secure. End of story. Get used to it.

By: pdp

pdp — Wed, 10 Oct 2007 17:47:20 +0000

rkd, because the attacker may simply include a link to a remote RDP/ICA file which the user will click on. Of course it gets more suspicious but users will still fall for it. No to mention that RDP and ICA can be delivered to the target in multiple ways.

By: rkd

rkd — Wed, 10 Oct 2007 16:35:57 +0000

Filter emails and email content and in general traffic that contains RDP or ICA files. Yes it sounds simple, but it is almost impossible to implement.

I hate to be asking an obvious question but why is it that filtering *.rdp/*.ica (or whatever the ica extension is) is impossible?
As far as I know Outlook 2007 (the client itself) strips this attachments by itself…

By: pdp

pdp — Wed, 10 Oct 2007 13:08:03 +0000

djteller, :) yeh right. first of all you have to educate the administrators. What I am trying to show here is how easy it is sometimes to gain remote access without too much effort. The security community and industry in general is sooo much into vulnerability research that they forget to look at the most obvious, the most simplistic, and the most successful threats. Who needs 0days when Andrea Johnson, the secretary from 3rd floor, will unawarely let you in?

Moreover, most people have never heard of Windows Terminal services. The don’t know how they even look like. So, what’s going to happen if the attacker just spawns a full-screen session on their desktop? They will probably think that somehow they logged out; type their username and password, and of course let the attacker in. Simple and effective.

By: djteller

djteller — Wed, 10 Oct 2007 12:56:44 +0000

What can we do about it ? -> Educate users.

By: pdp

pdp — Wed, 10 Oct 2007 11:33:12 +0000

now when I am thinking this trick should be called Remote Desktop Shell Fixation Attacks