Terminal Services applications

This week for work I ran into a couple of applications running over terminal services. Its like a pseudo remote desktop sort of thing. The idea is that you have an application that runs remotely that others can use. What’s supposed to happen is a user can only use said application and nothing more. That’s where the fun comes into play – breaking out of terminal services to run other applications.

Sometimes however you can’t just break out so easily.

For this next one, I leveraged the same type of attack by first getting the help file to open an internet browser, then navigating to a batch file (vbscripts work too) for execution of other applications. Unfortunately, I forgot to take a screen shot. You’ll just have to take my word for it. The idea I’m getting at is this – if your users can launch the browser then the browser can in turn be used against the application. The box in question was an XP box running IE version 6. The next stage in that attack was simply finding a known vulnerability in IE 6 (theres hundreds of them) and using the client side exploit to launch a shell.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.