[NT] Invalid RDP Data Can Cause Memory Leak in Terminal Services
From: support@securiteam.comDate: 07/29/01
- Next message: support@securiteam.com: "[NEWS] Tivoli SecureWay Web Seal Policy Security Vulnerability"
- Previous message: support@securiteam.com: "[NEWS] Search Engines HTML Parsing Vulnerability (Lycos)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [NT] Invalid RDP Data Can Cause Memory Leak in Terminal Services Message-Id: <20010729194108.9B40B138BF@mail.der-keiler.de> Date: Sun, 29 Jul 2001 21:41:08 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Invalid RDP Data Can Cause Memory Leak in Terminal Services
------------------------------------------------------------------------
SUMMARY
The Windows 2000 Terminal Service and Windows NT 4.0 Terminal Server
Edition contains a memory leak in one of the functions that processes
incoming Remote Data Protocol data via port 3389. Each time an RDP packet
containing a specific type of malformation is processed, the memory leak
depletes overall server memory by a small amount.
If an attacker sent a sufficiently large quantity of such data to an
affected machine, he could deplete the machine's memory to the point where
response time would be slowed or the machine's ability to respond would be
stopped altogether. All system services would be affected, including but
not limited to terminal services. Normal operation could be restored by
rebooting the machine.
DETAILS
Affected software:
* Microsoft Windows NT 4.0, Terminal Server Edition
* Microsoft Windows 2000 Server
* Microsoft Windows 2000 Advanced Server
* Microsoft Windows 2000 Datacenter Server
Mitigating factors:
* Normal firewalling could be used to prevent an attacker from exploiting
this vulnerability from the Internet. Specifically, blocking port 3389
would prevent an attacker from delivering data to the affected service,
thereby preventing him from exploiting the vulnerability.
* There is no capability to compromise data or usurp privileges via the
vulnerability.
Patch availability:
Download locations for this patch
* Microsoft Windows NT 4.0, Terminal Server Edition:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31615>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31615
* Microsoft Windows 2000:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30195>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30195
* Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server are hardware-specific and
available from the original equipment manufacturer.
What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a large quantity of
malformed data to an affected terminal server, an attacker could disrupt
any active sessions in effect on the server, and prevent the server from
starting any new ones.
The vulnerability would not enable an attacker to compromise any data on
the server, or to usurp any privileges on the machine. The administrator
of an affected machine could restore normal service by rebooting the
machine.
What causes the vulnerability?
The vulnerability results because of a memory leak in the Windows 2000
Terminal Server service. If a sufficient quantity of data packets
containing a particular malformation were received, it could deplete the
available memory to the point where the server would be incapable of
performing useful work.
What's a memory leak?
A memory leak is an implementation error that depletes the available
memory on a system. As a process on a computer runs, it may need more or
less memory, depending on exactly what it is doing from one minute to the
next. When the process needs more memory, it requests it from the
operating system; when it no longer needs the additional memory, it should
return it to the operating system so it can be allocated to other
processes.
If a process does not correctly return memory to the operating system, the
memory remains assigned to the process even though the process is no
longer using it, and the memory cannot be re-allocated. This effectively
makes the block of memory unavailable. In this case, the Windows 2000
service that supports terminal server sessions has an implementation error
that results in a memory leak when certain invalid data is sent to it.
How much memory is leaked each time the data at issue is received?
The leak here is relatively small - the server would need to receive a
very large number of packets before its memory would be depleted to the
point where its performance could be affected.
What could an attacker do via this vulnerability?
An attacker could deliberately send a large number of the malformed data
packets in order to deplete the server's available memory. By doing this,
he could prevent the server from performing useful work.
Would the attacker need to be able to log in via terminal services in
order to exploit the vulnerability?
No. The attacker would need the ability to send data to terminal services,
but would not need to be able to authenticate to the machine.
Would a successful attack via this vulnerability only disrupt terminal
server sessions, or would other services on the system be affected as
well?
Because the vulnerability depletes the memory pool that all services on
the machine use, a successful attack via the vulnerability would affect
the operation of all services on the machine, not just the terminal
services. Therefore, for instance, if the machine also hosted shared
files, users might be unable to access them after the machine had been
attacked.
Would this vulnerability enable the attacker to gain any privileges on the
machine?
No. The sole effect of a successful attack via this vulnerability would be
to deny service to legitimate users.
How could an affected server be put back into service?
The server administrator would need to reboot an affected machine to
return it to normal service.
I have not enabled Terminal Services on my Windows 2000 machine. Do I need
to take any action?
No. The flaw lies within Terminal Services, so if Terminal Services is not
enabled, the vulnerability can't be exploited.
Could this vulnerability be exploited remotely?
If the attacker could deliver packets to an affected machine, he could
exploit the vulnerability. However, if normal firewalling is in effect,
the port used by terminal services (port 3389) will be blocked. This would
prevent Internet users from exploiting the vulnerability.
I have a Windows NT 4.0 terminal server. Could I be affected by the
vulnerability?
Yes. The vulnerability affects Windows NT 4.0 terminal servers.
What does the patch do?
The patch eliminates the vulnerability by causing the Windows 2000
terminal services to properly deallocate memory after processing the
request at issue here.
ADDITIONAL INFORMATION
The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[NEWS] Tivoli SecureWay Web Seal Policy Security Vulnerability"
- Previous message: support@securiteam.com: "[NEWS] Search Engines HTML Parsing Vulnerability (Lycos)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
