[THIN] Re: SV: Re: RPC and RDP

  • From: "Bob Coffman Jr - Info From Data " <bcoffman@xxxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Fri, 2 Mar 2007 14:24:01 -0500

Yes, definitely mapped over a virtual channel.  I duplicated the test that
Tony ran, 3389 is the only port active with local drives mapped.
 
- Bob Coffman

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Alex Danilychev
Sent: Friday, March 02, 2007 1:29 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: SV: Re: RPC and RDP


Drives are mapped via VC.
 
ALEX



  _____  

To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: SV: Re: RPC and RDP
From: Anthony_Baldwin@xxxxxxxxx
Date: Fri, 2 Mar 2007 12:53:49 -0500


I logged into a W2K3 terminal server using RDP while running a netstat on my
PC and I didn't see anything popup except port 3389. 

So, I'm guessing the drive mapping worked over 3389. 

The client drives do show up on the terminal server under 'net use' listing,
though. 

I guess a network sniff would tell for sure. 

Tony




"Steve Greenberg" <steveg@xxxxxxxxxxxxxx> 
Sent by: thin-bounce@xxxxxxxxxxxxx 03/02/2007 12:42 PM 


Please respond to
thin@xxxxxxxxxxxxx



To
<thin@xxxxxxxxxxxxx> 

cc

Subject
[THIN] Re: SV: Re: RPC and RDP  

                




I know for sure with ICA that the file transfer traffic is encapsulated in
ICA and runs over the standard port 1494. With RDP, I *think* it is the same
way over port 3389, however, I am strangely unable to find any documentation
supporting that in the books at my desk or at the MS web site. Does anyone
have a definitive answer to this?? 



I am pretty sure that if you only allow 3389 that there will not be any
NetBios style direct communication to the file share, but again, I am having
a hard time finding a definitive technical reference on this.... 



Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85262

(602) 432-8649

www.thinclient.net

steveg@xxxxxxxxxxxxxx



 _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Johan Martens
Sent: Friday, March 02, 2007 10:03 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] SV: Re: RPC and RDP



Yes I know when they connect true VPN as they are in the LAN. BUT not if you
use the firewall like we do since you can make a policy in it and only allow
traffic on port 3389. So if we have this scenario and connect with RDP and
the client also mapp is local drives to the RDP will he use same functions
as he does as if he just connect to a server true the LAN -  NETBIOS.... ?
And IF so is it same for ICA protocol?



I am sorry but my english is not good enough to explain how RPC works as a
part in the file sharing.



BUT maybe this will give a hint?



The first DCOM hole was discovered on the client side, where supplying
arbitrarily large and malformed parameters via the local DCOM API caused a
local program crash. The exploit took advantage of a buffer overflow
regarding the NetBIOS name portion of a fileshare name. If the NetBIOS name
is above 32 bytes in length supplied to the CoGetInstanceFromFile ()
function, it would cause a crash in RPCSS.EXE and kill the Microsoft RPC
service. Eventually LSD made the jump to remotely exploiting the problem by
hand crafting DCOM request packets that contained the malformed parameter



 



Best regards 



Johan

Med vänlig hälsning 

Johan Martens

Teknik/Agdadrift avdelningen.

Agda Lön AB

Långskeppsgatan 9, 262 71  Ängelholm 
Tel 0431-44 94 00 
Fax 0431-160 13 
mailto:johan@xxxxxxx
www.agda.se 



 _____  

Från: thin-bounce@xxxxxxxxxxxxx genom Steve Greenberg
Skickat: fr 2007-03-02 17:12
Till: thin@xxxxxxxxxxxxx
Ämne: [THIN] Re: RPC and RDP

Can you explain how RPC works as part of file sharing? When you grant VPN
access in this fashion the end user does have the same access as if they
were local, I just don't know how RPC works as part of CIFS file sharing....



Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85262

(602) 432-8649

www.thinclient.net

steveg@xxxxxxxxxxxxxx



 _____  

From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Johan Martens
Sent: Friday, March 02, 2007 3:10 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] RPC and RDP





Hi guys,



I had a discussion with my boss the other day about RPC and RDP.



If one of our employees connect to our firewall true VPN and then connect to
a Terminal server and the map local drives are mapped true the session. Is
it possible for a virus which uses RPC to go true this session, eg does the
RDP protocol use the RPC to map the drives like ordinary windows drive
mapping does?



Thansk for answers



Best regards



Johan




Other related posts: