[THIN] Re: [Fwd: Microsoft Terminal Services vulnerable to MITM-attacks. (fwd)]

Mallesons Stephen Jaques
www.mallesons.com

Confidential communication



correct, just delete the RDP listener in the CCC

-----Original Message-----
From: Tony Lyne (Computerland) [mailto:Tony.Lyne@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, 3 April 2003 8:16 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: [Fwd: Microsoft Terminal Services vulnerable to
MITM-attacks. (fwd)]



You can disable RDP. I do it on most my implementations for this very =
rea=3D
son and also resources.

Actually I just delete the RDP protocol more secure that way.

Tony Lyne
Senior Systems Engineer=3D20
Computerland Central=3D20
P O Box 1470=3D20
PALMERSTON NORTH
Telephone (+64) 06 3537300
Facsimile (+64) 06 3566800
Mobile (+64) 0274 720696
E-mail Tony.Lyne@xxxxxxxxxxxxxxxxxx
Internet http://www.computerland.co.nz
CAUTION: This e-mail message and accompanying data may contain =
informatio=3D
n that is confidential and subject to privilege. If you are not the =
inten=3D
ded recipient, you are notified that any use, dissemination, =
distribution=3D
=3D20or copying of this message or data is prohibited. If you have =
received=3D
=3D20this e-mail in error, please notify me immediately and delete all =
mate=3D
rial pertaining to this e-mail. Thank you.
=3DA0


-----Original Message-----
From: George Yobst [mailto:george2@xxxxxxxxxxxxxxx]=3D20
Sent: Thursday, 3 April 2003 10:07 a.m.
To: thin@xxxxxxxxxxxxx
Subject: [THIN] [Fwd: Microsoft Terminal Services vulnerable to =
MITM-atta=3D
cks. (fwd)]


For those of you not on Bugtraq.

My question to all of you:  can I disable RDP, and still
have full use of my Metaframe ICA?  Will it break anything
like printing or MS Term Server Licensing (just throwing
stuff out there)?  -George


---------- Forwarded message ----------
Date: 02 Apr 2003 00:05:44 +0200
From: Erik Forsberg <forsberg+btq@xxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Microsoft Terminal Services vulnerable to MITM-attacks.


During extensive investigation of the Remote Desktop Protocol (RDP),
the protocol used to connect to Windows Terminal Services, we (Cendio
Systems) have found that although the information sent over the network =
i=3D
s
encrypted, there is no verification of the identity of the server when
setting up the encryption keys for the session.

This means RDP is vulnerable to Man In The Middle attacks (from here
on referred to as MITM attacks). The attack works as follows:

1) The client connects to the server, however by some method (DNS
=3D20   spoofing, arp poisioning, etc.) we've fooled it to connect to =
the
=3D20   MITM instead. The MITM sends the request further to the server.
2) The server sends it's public key and a random salt, in cleartext,
=3D20   again through the MITM. The MITM sends the packet further to the
=3D20   client, but exchanges the public key to another one for which it
=3D20   knows the private part.
3) The client sends a random salt, encrypted with the server public
=3D20   key, to the MITM.
4) The MITM deencrypts the clients random salt with it's private key,
=3D20   encrypts it with the real servers public key and sends it to the
=3D20   server.
5) The MITM now know both the server and the client salt, which is
=3D20   enough information to construct the session keys used for =
further
=3D20   packets sent between the client and the server. All information
=3D20   sent between the parts can now be read in cleartext.

The vulnerability occurs because the clients by no means try to verify
the public key of the server, sent in step 2 above. In other
protocols, such as the Secure Shell protocol, most client
implementations solve this for example by letting the user answer a
question whether a specific serverkey fingerprint is valid.

The clients we've seen so far for RDP have no way to preinsert a known
server key. There is also no interaction with the user in order to
verify a key the first time a connection is made to a new server.

We have communicated with Microsoft in this matter, and they
confirmed 2003-03-19 that the problem do exist in their current
implementation. They are currently "investigating the feasability in
adding this functionality". They also point out that they do not claim
RDP having the functionality of providing server authentication.

We feel that Microsoft is not taking this seriously enough. We know
there are sites using Terminal Services to transfer sensitive data,
and we feel that they need to be informed about this vulnerability in
order to be able protect their networks. This is why we publish this
information at this moment.

We've tested this vulnerability against Windows 2000 Terminal Server,
Windows 2000 Advanced Server and the upcoming Windows Server 2003
using both the clients delivered with Windows 2000 and the latest
downloadable RDP client from Microsoft. We have reason to believe that
the vulnerability exists when running both RDP version 4 and 5, and
regardless of terminal server mode.

We have developed software that can be used to exploit this
vulnerability, but we choose not to release it.

\EF
--=3D20
Erik Forsberg                Telephone: +46-13-21 46 00
Cendio Systems               Web: http://www.thinlinc.com





--=3D20
-------------------------------------------------------------------------=
=3D
--
George Yobst, Library Technology Analyst        phone: 503.723.4890
Library Information Network of Clackamas County   fax: 503.794.8238
16239 SE McLoughlin Blvd, Suite 208         web: =
http://www.lincc.lib.or.=3D
us
Oak Grove, OR 97267-4654                  email: george@xxxxxxxxxxxxxxx
"...it is impossible for anyone to begin to learn
=3D20 what he thinks he already knows."  - Epictetus

********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=3D20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
CAUTION: This e-mail message and accompanying data may contain
information that is confidential and subject to privilege. If you are
not the intended recipient, you are notified that any use,
dissemination, distribution or copying of this message or data is
prohibited. If you have received this e-mail in error, please notify me
immediately and delete all material pertaining to this e-mail. Ceritas /
Computerland will not accept liability for any loss or damage caused by
using any material or attachments contained in this message. While every
best practice has been taken, no warranty is made that this material is
free from computer virus or other defect. Ceritas/Computerland's entire
liability will be limited to resupplying the material. Thank you.
********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: