Remote Desktop Vulnerability

01st July 2010 09:00 am

Yesterday I believed I came across a potential security vulnerability whilst using Windows Remote Desktop in that a program failed to close whilst terminating my remote session and kept me logged in and remote desktop open without my knowledge.
So off I went to email them the issue hoping that they would escalate my point and actually look into it, instead I got what looks like a stock response… I don’t understand how they can’t see this as a potential vulnerability with the comment “how would an attacker leverage this to compromise the system”. My email and Microsoft response below, what do you think?

To Microsoft (from me)

Good afternoon.

I was working in remote desktop to an online web server whilst trying to troubleshoot a problem I was having with a website but then left remote desktop inactive (still open and logged in) whilst I read some articles on my current machine through a web browser.

The timeout on inactivity is quite short (maybe 10 minutes or so) for the remote desktop and i was away from remote desktop for at least an hour.

However a rather worrying sight was presented to me when I realised it (remote desktop) was still open. When I made the window active again it had an “End Program” dialog for a program that had problems ending itself (this was probably due to remote desktop trying to terminate my session). Now the problem here is that when you click “Cancel” instead of “End Now” the dialog disappears and the remote desktop session is not terminated (i.e. I’m still logged in).

Obviously this could result in a catastrophic event occurring where (if someone left a machine with remote desktop open and logged in) another person could come onto the client machine and essentially have full reign over the entire remote system, causing serious damage (re-format, install virus, etc..).

Some key information which may be of use to you is:

• Machine is running – Windows Server 2003 Standard Edition with Service Pack 2
• Program which would not close – ClamWin (update module I believe it was)
• Client remote desktop version – 6.1.7600.16385 (win7_rtm.090713-1255)
• Logged into client machine (running under a domain) under registered NT Account with Administrative capabilities
• Logged in (through remote desktop) as Administrator

I hope this helps and if I can be of any more assistance, please contact me.

Kind regards
Daniel Richardson

From Microsoft (to Me)

Hello Dan,

Thank you for your message. This is not something that we would consider to be a security vulnerability. One of the major questions here is “how would an attacker leverage this to compromise the system?” In this situation, I believe the attacker would require physical access to the system which violates the 10 Immutable Laws of Security which is available at http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx. Additionally, Terminal Services on Windows Server 2003 allows configuration that will force programs to shutdown based on various criteria. An article on configuring this is available at http://technet.microsoft.com/en-us/library/cc787183(WS.10).aspx .

If you have additional information or believe that we mis-read something in your report, please let me know.

Best Regards,
Nate