RDP Vulnerability -- Heads Up / Question
Results 1 to 7 of 7

Thread: RDP Vulnerability -- Heads Up / Question

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914

    RDP Vulnerability -- Heads Up / Question

    Hey Hey,

    Has anyone seen a live exploit for the new RDP vulnerability and does anyone know how serious it is?

    Info @ http://www.microsoft.com/technet/sec...ry/904797.mspx
    Sans Info @ http://isc.sans.org/diary.php

    I run RDP and I'm wondering if, for the mean time, I should be disabling the service.... I haven't seen any mention of it on most of my usual stomping grounds, so it leads me to believe that it's not that big yet...

    It looks like it's just a blue screen if you follow this thread

    https://www.immunitysec.com/pipermai...ly/002185.html

    Anyways.... any word on the severity of this?

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    yea, im going to have to look into this now becasue i use RDP a lot. I also have clients that use term server religiously which would be effected also. Thanks for the heads up.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The best two recommendations I have seen - which are good sense anyway - are:-

    1. VPN the connection, (which is what I do at work)
    2. IPSec the connection, (which is what I am working on at home right now).
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Tiger Shark
    The best two recommendations I have seen - which are good sense anyway - are:-

    1. VPN the connection, (which is what I do at work)
    2. IPSec the connection, (which is what I am working on at home right now).
    Hey Hey,

    I highly agree with the VPN and that's normally how I run... The problem is that when I'm at the college (where I spend 75% of my time) I can't establish a VPN connection to my home... This leaves me with directly connecting to RDP as my only option... Which is why I'm hopeful that we'll see a patch for this in the near future.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    I guess...but really the only threat is a Denial of Service. I personally am not too worried with my home box getting DOS'd. But even if I was, I'm certain that these packets could be blocked at firewall, or router level.

    I'm not really about sacrificing the LITTLE speed rdp has, by tunnling through a whole bunch of crap.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I guess...but really the only threat is a Denial of Service.
    Er... The only _currently known_ threat is DoS.... What happens if someone is carefully crafting an overflow? Better to seal the gates now than allow "complacency" to sink the ship don't you think?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by HTRegz
    Hey Hey,

    I highly agree with the VPN and that's normally how I run... The problem is that when I'm at the college (where I spend 75% of my time) I can't establish a VPN connection to my home... This leaves me with directly connecting to RDP as my only option... Which is why I'm hopeful that we'll see a patch for this in the near future.

    Peace,
    HT
    HT your best bet, short of stopping the RDP service(s), is to:

    #1 - use an alternate port and port map it through your firewall/router
    (if you reply that you don't use a firewall/router, I'll kick you )

    #2 - ACL. that is, limit the IP's that can connect to said port(s) at your firewall router
    (same as previous sub-comment)

    Changing the port doesn't really protect you per se, but it will stop the inevitable Worms/Virii/Crapware that will propigate, which will flood this port(s) with packets from zombies. This is really a practice of security through obscurity, but it will allow you to continue to use RDP with a decreased exposure to this threat.

    Using an ACL will slow down any potential active threat who may be probing or scanning you system/network. If done properly, they may still find the port is open, but they won't necessarily know what it is. This won't stop them from flooding it with everything from a christmas tree to the RDP malformed packet, but in doing so they would be less stealthy and easier to detect.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •