Terminal Services Mis-configured

I’m not sure if I’ve posted about this or not. During March and into April we had a pen-testing project as school. At the beginning of the semester we had a project to configure our server (Windows 2003, or Red Hat Enterprise AS 4). Next we had to perform reconnaissance on our classmates and a collection of cannon fodder servers set up by the instructor. This led into the pen testing assignment.
Going into the assignment, my main concern was not getting hacked and not embarrassing myself. It actually turned out better than that. I didn’t get hacked, and I was able to hack more servers than anyone else in the class.
What differentiated my results from those of my classmates were a series of application attacks. The foundation for these attacks were laid when Terminal Services was installed. You see Terminal Services has asks at install if you want high security or application compatibility. If you select application compatibility, then any terminal server user has modify rights to c:\program files\* and some important registry keys. The administrator of those servers should have looked at the terminal server settings and changed it to the high security, or looked at the file ACLs and removed unnecessary permissions.
Although my “guest” account only had user rights, because I was a terminal server user, I was able to modify some key files. Luall.exe is Symantec Liveupdate. When a scheduled liveupdate runs, it runs with SYSTEM permissions. By replacing luall.exe with my own version of the file, I was able to escalate my rights and own multiple servers.
This is another case of application compatibility mode causing security troubles. Of course this is not the preferred configuration for Terminal Services. So hopefully this isn’t an exposure that you have on your own servers. So if you have Terminal Services, even just for remote admin mode, make sure that you check your security level. Otherwise a Terminal Server User is just an admin who hasn’t promoted himself yet.

One Comment

  1. Ive been googling for a long time for a torrent to full like 40+ GB rainbow tables and if asked re seed them with a 1GB upload connection. Do you know where I can get a torrent or two?

Comments are closed.