[THIN] SV: Re: SV: Re: RPC and RDP
- From: "Johan Martens" <johan.martens@xxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Sun, 4 Mar 2007 15:18:46 +0100
I wander if a virus spreading true RPC and or Netbios will spread true RDP
also? Or is the VC completely different in its implementation?
Johan
Från: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] För Alex
Danilychev
Skickat: den 2 mars 2007 22:25
Till: thin@xxxxxxxxxxxxx
Ämne: [THIN] Re: SV: Re: RPC and RDP
There are similar links for CE and Win32 implementations of RDP VC - check MSDN.
ALEX
________________________________
From: teknica@xxxxxxxxxxx
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: SV: Re: RPC and RDP
Date: Fri, 2 Mar 2007 13:17:06 -0800
True statement.
Check this:
http://msdn2.microsoft.com/en-us/library/aa912846.aspx
http://msdn2.microsoft.com/en-us/library/aa920229.aspx
Tons of info for developers but not admins.
ALEX
________________________________
From: steveg@xxxxxxxxxxxxxx
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: SV: Re: RPC and RDP
Date: Fri, 2 Mar 2007 13:42:58 -0700
I agree that this is how it works, but it is funny, I have not been able to
find any documentation stating that. Does anyone have anything from MS explaing
their implementation of secondary services over RDP? Citrix has a clear
explanation and architecture of virtual channels, but I have not found the same
kind of information from MS......
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Bob Coffman Jr - Info From Data
Sent: Friday, March 02, 2007 12:24 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: SV: Re: RPC and RDP
Yes, definitely mapped over a virtual channel. I duplicated the test that Tony
ran, 3389 is the only port active with local drives mapped.
- Bob Coffman
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Alex Danilychev
Sent: Friday, March 02, 2007 1:29 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: SV: Re: RPC and RDP
Drives are mapped via VC.
ALEX
________________________________
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: SV: Re: RPC and RDP
From: Anthony_Baldwin@xxxxxxxxx
Date: Fri, 2 Mar 2007 12:53:49 -0500
I logged into a W2K3 terminal server using RDP while running a netstat
on my PC and I didn't see anything popup except port 3389.
So, I'm guessing the drive mapping worked over 3389.
The client drives do show up on the terminal server under 'net use'
listing, though.
I guess a network sniff would tell for sure.
Tony
"Steve Greenberg" <steveg@xxxxxxxxxxxxxx>
Sent by: thin-bounce@xxxxxxxxxxxxx 03/02/2007 12:42 PM
Please respond to
thin@xxxxxxxxxxxxx
To
<thin@xxxxxxxxxxxxx>
cc
Subject
[THIN] Re: SV: Re: RPC and RDP
I know for sure with ICA that the file transfer traffic is encapsulated
in
ICA and runs over the standard port 1494. With RDP, I *think* it is the
same
way over port 3389, however, I am strangely unable to find any
documentation
supporting that in the books at my desk or at the MS web site. Does
anyone
have a definitive answer to this??
I am pretty sure that if you only allow 3389 that there will not be any
NetBios style direct communication to the file share, but again, I am
having
a hard time finding a definitive technical reference on this....
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf
Of Johan Martens
Sent: Friday, March 02, 2007 10:03 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] SV: Re: RPC and RDP
Yes I know when they connect true VPN as they are in the LAN. BUT not
if you
use the firewall like we do since you can make a policy in it and only
allow
traffic on port 3389. So if we have this scenario and connect with RDP
and
the client also mapp is local drives to the RDP will he use same
functions
as he does as if he just connect to a server true the LAN -
NETBIOS.... ?
And IF so is it same for ICA protocol?
I am sorry but my english is not good enough to explain how RPC works
as a
part in the file sharing.
BUT maybe this will give a hint?
The first DCOM hole was discovered on the client side, where supplying
arbitrarily large and malformed parameters via the local DCOM API
caused a
local program crash. The exploit took advantage of a buffer overflow
regarding the NetBIOS name portion of a fileshare name. If the NetBIOS
name
is above 32 bytes in length supplied to the CoGetInstanceFromFile ()
function, it would cause a crash in RPCSS.EXE and kill the Microsoft RPC
service. Eventually LSD made the jump to remotely exploiting the
problem by
hand crafting DCOM request packets that contained the malformed
parameter
Best regards
Johan
Med vänlig hälsning
Johan Martens
Teknik/Agdadrift avdelningen.
Agda Lön AB
Långskeppsgatan 9, 262 71 Ängelholm
Tel 0431-44 94 00
Fax 0431-160 13
mailto:johan@xxxxxxx
www.agda.se
_____
Från: thin-bounce@xxxxxxxxxxxxx genom Steve Greenberg
Skickat: fr 2007-03-02 17:12
Till: thin@xxxxxxxxxxxxx
Ämne: [THIN] Re: RPC and RDP
Can you explain how RPC works as part of file sharing? When you grant
VPN
access in this fashion the end user does have the same access as if they
were local, I just don't know how RPC works as part of CIFS file
sharing....
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf
Of Johan Martens
Sent: Friday, March 02, 2007 3:10 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] RPC and RDP
Hi guys,
I had a discussion with my boss the other day about RPC and RDP.
If one of our employees connect to our firewall true VPN and then
connect to
a Terminal server and the map local drives are mapped true the session.
Is
it possible for a virus which uses RPC to go true this session, eg does
the
RDP protocol use the RPC to map the drives like ordinary windows drive
mapping does?
Thansk for answers
Best regards
Johan
Other related posts:
