Much of the exploitability of a Citrix or Terminal services type
solution relates to how the application works. I audited a site where
multiple companies shared a common front end. The security of the data
relied on that front end. In this case, I was able to use the
"help/about vulnerabilities" that were mentioned here a few days ago.
The bulk of the discussion here has been on the ability to escalate
privileges for an authenticated user but, in WAY TOO MANY cases,
escalation isn't even necessary.
-----Original Message-----
From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
On Behalf Of Sat Jagat Singh
Sent: Monday, May 05, 2008 1:43 PM
To: PenTest
Subject: RE: Fwd: Terminal services and remote programs.
I'll count myself as corrected on the issue of privilege escalation
through MS Office. I actually did find one. MS06-009 pertains to a
vulnerability in the Korean Input Method Editor of multi-language
versions of Office 2003 that Microsoft says can be exploited to escalate
privileges. So, that's pretty obscure and unlikely to be found in most
environments. But it demonstrates that such a thing is conceptually
possible.
Concerning access control and other "unauthorized" access, in some
environments simply being able to use ping or browse the network is a
violation of policy, though it may not violate the configured access
rights. One needs to distinguish between what is authorized in the
sense of managerial policy versus permissions that are actually
configured. These types of unintended access are often the gateway to
finding poorly secured assets that are actually sensitive. That is why
such desktop restrictions are implemented as one way of enforcing access
control. You are certainly correct that in and of themselves these
measures are not access control.
--- On Fri, 5/2/08, Thor (Hammer of God) <thor_at_hammerofgod.com> wrote:
> From: Thor (Hammer of God) <thor_at_hammerofgod.com>
> Subject: RE: Fwd: Terminal services and remote programs.
> To: "PenTest" <pen-test_at_securityfocus.com>
> Date: Friday, May 2, 2008, 3:50 PM
> Inline:
>
> > -----Original Message-----
> > From: listbounce_at_securityfocus.com
> > [mailto:listbounce_at_securityfocus.com] On Behalf Of Sat
> Jagat Singh
> > Sent: Wednesday, April 30, 2008 7:48 AM
> > To: PenTest
> > Subject: Re: Fwd: Terminal services and remote
> programs.
> >
> > Our team regularly breaks into Terminal Servers
> through social
> > engineering and phishing techniques. So, measure #1
> to protect these:
> > require either ipsec vpn to be able to connect to the
> box or two
> factor
> > authentication such as RSA or Vasco to get on it.
>
> Always excellent advise, and not just for terminal
> services. Multiple
> authentication methods are always recommended.
>
> > When I have credentials, I have never yet seen a
> Terminal Server or
> > Citrix Metaframe server on which I wasn't able to
> gain unauthorized
> > access to programs and escalate that to where I could
> get to most
> > anything, no matter how tightly somebody thought it
> was locked down.
> > There are dozens of ways to break out of an
> application jail in
> > Windows.
>
> Well, you might choose to call it "unauthorized"
> access, but it is
> clearly "authenticated" access, and access to
> files that you have
> *permission* to access. More next...
>
> > 1) In the programs you mention, just go to the file
> open dialog box.
> > Now you basically have a Windows Explorer interface.
> You can use this
> > to create shortcuts on your desktop to executables
> that may be
> > otherwise inaccessible, browse the network, delete
> files and more.
> >
> > 2) The help system for the application is basically an
> Internet
> > Explorer interface. This has been widely exploited by
> many people to
> > carry out all kinds of mischief.
>
> So, yes -- there are many, many ways to "exit"
> out of published
> applications or otherwise "desktop access
> limitation" methods like found
> in the resource kit. Help-menu access is a well known
> method of opening
> other windows while in a "limited desktop"
> environment, as is
> "alternateshell" or "launch on connect"
> options. However, limited
> desktop measures are *not* security solutions - they are
> simply methods
> by which to streamline deployments and to keep users from
> "hurting
> themselves" by accident.
>
> But don't confuse "using help to access an
> Internet Explorer interface"
> with something like "bypassing permissions" or
> "un-authenticated access"
> or "privileged escalation." I know *you* are not
> confusing the two, but
> others on this list may think you are saying that accessing
> IE via Help
> is the same thing as bypassing an access control, which you
> are not.
>
> Escalating from a normal user to admin on a properly
> secured box (or
> just a regular, say, Win2k3 box for that matter) is not as
> easy as you
> make it sound. You'll have to either find an unpatched
> vulnerability to
> exploit, or some other terribly misconfigured service to
> leverage.
>
> In this example, the OP was concerned with a full desktop
> of all Office
> and Adobe applications -- the issue is NOT about
> "getting IE" or
> "explorer" windows - it is about taking simple
> measures of auditing
> system permissions so that users cannot trivially (or even
> non-trivially) escalate privilege. All applications via
> RDP will be run
> in the context of the logged on user (to answer the
> original question)
> and no manner of "unauthorized access" to IE or
> Explorer changes that.
> This is the crux of the past post about a "RDP
> vulnerability" that dude
> didn't understand.
>
> > 3) Application vulnerabilities that permit code
> execution.
>
> Indeed. RDP hosts must be properly patched just like
> desktops. The one
> good benefit of an RDP host over a desktop is that the user
> doesn't have
> direct physical access by which they can easily get admin.
> However,
> they still must be audited, patched, and have logs
> reviewed.
>
> > Critical measures to prevent these include:
> > - install the system on an isolated network if
> possible, or restricted
> > DMZ otherwise;
> > - such servers should be either standalone or a member
> of a Windows
> > domain that is used only for administering the
> Terminal Servers;
> > - ensure that all of the application patches are
> installed promptly
>
> Great advise, of course.
>
> >
> > Other security controls are also relevant, including,
> personnel
> > controls such as background checks, user account
> management that
> > include promptly deleting obsolete accounts.
>
> I'm really glad you mentioned this. Policy counts
> here. Just like on
> desktops, users caught trying to bypass authentication
> methods or
> practicing unsafe computing should be shot immediately.
> Corporate due
> diligence in hiring, old account maintenance, and general
> good
> housekeeping is a must, and an excellent inclusion.
>
> > To answer your other question, if there is a
> patch-based vulnerability
> > in the application that someone can exploit to execute
> code, it would
> > typically give them the security context of their own
> user account.
> > But I think their have been at least a few MS Office
> vulnerabilities
> > that were exploitable to escalate privileges.
>
> Like which? Can you name one? I'm not aware of an
> office vuln that
> allowed for escalation.
>
> > It would depend on the
> > nature of the vulnerability. Typically, MS has gotten
> better over
> time
> > at limiting the opportunities to carry out exploits
> and the impact of
> > the exploit when it does succeed. So, it would be
> worth considering
> > Windows 2008 to deploy such a solution. While it is
> largely untested
> > in the wild, it should benefit from Microsoft's
> improved development
> > and testing processes under the "security
> development lifecycle" and
> > "trustworthy computing" regime.
>
> Again, great advise. 2008 offers many new methods by which
> to secure
> TerminalServices and RemoteApp deployments, including
> certificate
> connectoids, TLS/SSL connections, digitally signed RDP
> files and
> MSI-based remote app deployments, and in combination with
> ISA, even
> client-certificate based TSWeb connection options.
>
> t
>
> -----------
> Check out Tim Mullen's "Microsoft Ninjitsu"
> training at Blackhat Vegas
> 2008.
> There are also some other great NGS classes lead by
> world-class
> researchers and trainers available.
> http://www.blackhat.com/html/bh-usa-08/train-bh-usa-08-tm-ms-bbe.html
>
>
>
>
>
>
> >
> >
> > --- On Fri, 4/25/08, Paul Halliday
> <paul.halliday_at_gmail.com> wrote:
> >
> > > From: Paul Halliday
> <paul.halliday_at_gmail.com>
> > > Subject: Fwd: Terminal services and remote
> programs.
> > > To: pen-test_at_securityfocus.com
> > > Date: Friday, April 25, 2008, 4:03 PM
> > > I am just curious if any of you have performed an
> audit on a
> > > setup
> > > like this:
> > >
> > > In a nutshell, tech services is looking to offer
> the
> > > entire
> > > Microsoft Office suite and Adobe Creative suite
> through
> > > Terminal
> > > services.
> > >
> > > My immediate concern is, If there is a
> vulnerability in
> > > the remote
> > > apps, what will the context be for the attacker?
> > >
> > > Is there anything else I should be looking more
> closely
> > > at?
> > >
> > > Thanks.
> > >
> > >
> ---------------------------------------------------------------------
> > ---
> > > This list is sponsored by: Cenzic
> > >
> > > Need to secure your web apps NOW?
> > > Cenzic finds more, "real"
> vulnerabilities fast.
> > > Click to try it, buy it or download a solution
> FREE today!
> > >
> > > http://www.cenzic.com/downloads
> > >
> ---------------------------------------------------------------------
> > ---
> >
> >
> >
> >
>
_______________________________________________________________________
> > _____________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it now.
> >
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >
> >
>
-----------------------------------------------------------------------
> > -
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities
> fast.
> > Click to try it, buy it or download a solution FREE
> today!
> >
> > http://www.cenzic.com/downloads
> >
>
-----------------------------------------------------------------------
> > -
>
>
>
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
>
------------------------------------------------------------------------
________________________________________________________________________
____________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
Received on May 06 2008
Intro
