[22050] in bugtraq
NT TS / Win 2K and F7 - Enter bug
daemon@ATHENA.MIT.EDU (liamh@spook.thevenue.org)
Wed Aug 1 11:59:34 2001
Date: Tue, 31 Jul 2001 22:44:10 -0700 (PDT)
From: <liamh@spook.thevenue.org>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.02.10107312242001.1871-100000@spook.thevenue.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
I've got this working, albeheit differently on Win NT/Terminal Server, and
2K Terminal server. Here's an interesting little obfuscation exploit that
works:
1) Log on to TS
2) run cmd.exe
3) do the F7 - Enter exploit
This hangs the cmd.exe window, and this task cannot be ended normally.
Now:
4) Log on as an administrator
5) Bring up Terminal Server Administration
6) Log off the user above
The user's will disappear from the list.
However, the user will still be logged on!
Not only that, but the user can continue to excecute commands (except
cmd.exe) for about 1/2 hour (didn't time it, so I'm not 100% sure).
Also note, Terminal Server Administration may hang in this state when you
try to do a user list.
Cheers,
Liam
