Breaking Out of Windows RemoteApps
Microsoft has included a new feature in Windows Server 2008 to allow sharing individual applications through Terminal Services. This is not a new concept - Citrix has been offering something similar for a long time. They also are now offering a Terminal Services Gateway and TS Web Gateway for accessing Terminal Services, and RemoteApps, from the Internet. What isn't well known, but also isn't new, is the ability to 'break out' of these applications and access other applications and files on the Terminal Server. It is very easy to break out of GUI apps even for non-technical people. Below I will highlight a few examples of running other applications from a RemoteApp, and later I will follow with a number of configuration suggestions for securing your server.
In the screenshots I have changed the title bar red on the remote server to help distinguish what is being served from the remote system. The Terminal Server in the following examples is named RTFM-SRV.rtfm.lab.
A word about responsible disclosure: What I am presenting here is not actually a vulnerability - rather it is a 'feature' of RemoteApp. Further, the idea of breaking out of GUI applications has been around for a long time, and breaking out of UIs for even longer (the technique predates GUIs). In reality this is about configuring your server properly to restrict access, and server administrators need to know that even though it looks like you are presenting a user an application, you are really presenting them a desktop.
Breaking out of Internet Explorer
Methods of breaking out of Internet Explorer have been around for a long time, and have been abused on kiosks to access unauthorized resources. Because of the address bar, this one is a walk in the park.
To break out of Internet Explorer, just type the address of a local resource in the address bar. For example, you could enter file:///c:/windows/explorer.exe to launch the remote file explorer or file:///c:/windows/system32/cmd.exe to launch a remote command shell.
Breaking out of WordPad
Next we'll try an application with a very limited GUI - WordPad. Fortunately for the attacker, any application that uses standard Windows file (open, save as) dialogs can be escaped. To break out of WordPad, go to the File drop down menu and select Open or Save As.
From there, navigate to the executable that you would like to run (for example, c:\windows\explorer.exe), right click the executable, and select open.
Breaking out of Calc
Finally to add some challenge, we will attempt to launch other applications from the Windows Calculator (calc.exe). Calc has a very limited GUI with only Edit, View, and Help menus - and not a lot of items in those either. However, we can (ab)use the Windows online help functionality to run other executables.
By going to the Help drop down menu and selecting Help Topics, Windows Help and support will open. Click the button at the bottom of the window for "Ask someone or expand your search." In the "Getting Additional Windows Server Support" screen, click on any of the URLs presented to start Internet Explorer. Follow the "Breaking out of Internet Explorer" instructions above.
Conclusion
As you can see from the examples, it is trivial to execute other applications even when presented with a simplified interface. Any application that uses Windows dialogs or Windows help can easily be used to leapfrog to other applications, and this extends to custom GUIs and controls that may have their own methods of escape. Application presentation is a convenience feature, not a security feature. Further hardening of the operating system must be done to prevent a malicious user from abusing their access. In the next article I will present several methods for improving security in a RemoteApp environment.
Comments
1 comments postedYesterday, the Democrats.org blog featured an excerpt from a story we received from Kristine Reger, a life-long Wisconsinite and mother of three who attended President Obama’s Health Care Town Hall in Green Bay. Today, we asked Kristine to write a guest post to share her full story:
Hi everyone. I submitted my health care story to Organizing for America online, and they’ve asked me to write a guest blog about my experience. Here's what I can tell you:
Though I'm a lifelong Democrat, my husband and I raised our three kids in a mostly Republican suburb. For years and years, I kind of rolled over and skirted political conversations with my friends and neighbors. I didn’t want to engage in debate.
Then last fall, after more than 20 years, I finally decided to have the courage of my convictions. Barack Obama inspired me to get involved. I wasn’t happy with the direction of our country and I thought to myself: enough is enough. I spent lots of time researching the issues and learning about then-Senator Obama’s positions. Eventually, I figured out that I could make a real difference in my own network of family and friends by reaching out to people through email and responding to all the emails going around that I knew weren’t true. You know what I learned? My friends are still my friends. People have started coming to me to understand what’s going on; they rely on me to tell them the truth.
Since the election, President Obama has inspired me to stay involved. I think he’s so sensible and so right on so many of the issues I care about. I woke up at 5am yesterday to attend the Health Care Town Hall in Green Bay. It was fascinating – great questions, so much excitement and not an inch of space in the room.
Unfortunately my health care story is not unique, it’s typical. My husband and his business partner run a small machine shop their fathers’ founded in the 1950s. They’ve always provided their employees with single and family coverage, but as premiums have become more expensive, they’ve been forced to modify the kind of coverage they provide. Between this year and last, costs have increased 8 percent. In order to continue to provide health insurance, they’ve had to switch to a high deducible plan. Last year, they paid $132,000 in health care costs for a plan with a $2,500 deductible. Those costs are cutting into their profits and eating into our family income. Truth be told, the policy isn’t all bad – there are actually some great things about it. For example, all our preventative care, including physicals, mammograms and colonoscopies, are covered regardless of whether or not we’ve reached our deductible. That focus on preventative care is great - its something a reform plan should build on. But when you add up all the costs of our plan, we have to spend an awful lot to receive any of the benefits.
It’s true that we’re in the midst of a terrible recession. But I don't think maintaining the status quo when it comes to health care is an option. I keep thinking if small businesses like my husband’s are the life blood of our economy, how will it ever bounce back when small business owners can’t eek out a profit because health care costs are so high?
Everyone I know cares about this issue – my Republican friends care just as much as my Democratic ones. We’re all living with the consequences of a broken system. Though we might not all agree on the exact solution, we all agree something has to be done. If people see a part of themselves in my story, and are inspired to get involved, then maybe we’ll be able to make the people in Washington pay attention to us and get something done.
Kristine Reger is a life-long Wisconsinite and mother of three. She worked as a high school English teacher before staying at home to raise her children for 19 years. She is currently a self-employed travel agent. Kristine attended President Obama’s Health Care Town Hall in Green Bay, WI on Thursday.
porno izle | porno tv | sex movies | free porn | erotik shop | seks shop | azdırıcı | Sex shop | zayıflama hapı | diyet hapı | zayıflama | zayıflama | porno izle | zayıflama | erotik market | seks shop | geciktirici | sexshop | porno | göğüs büyütücü | Youporn | Penis büyütücü | Penis büyütücü | Erotik market | Eroksiyon hapı | seks market | Penis büyütücü | Penis büyütücü | sex shop | youporn.com.tr.tc | Sex izle | sikiş | porno | sex | seksshop.com.tr.tc | sexshop.com.tr.tc | erotikshop.com.tr.tc | pornoizle.com.tr.tc | freeporn.com.tr.tc| geciktirici | geciktirici | porno izle | porno tv| free sex movie | sex movie | cinselmerkez.com | müzik dinle | mp3 indir| erotikdergiler.com| sexshopum.com| free sex | sikiş