[NT] Invalid RDP Data can Cause Terminal Service Failure

From: support@securiteam.com
Date: 10/20/01


From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Invalid RDP Data can Cause Terminal Service Failure
Message-Id: <20011020002937.CCBCD138C9@mail.der-keiler.de>
Date: Sat, 20 Oct 2001 02:29:37 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Invalid RDP Data can Cause Terminal Service Failure
------------------------------------------------------------------------

SUMMARY

The implementation of the Remote Data Protocol (RDP) in the terminal
service in Windows NT 4.0 and Windows 2000 does not correctly handle a
particular series of data packets. If an affected server received such a
series of packets, it would cause the server to fail. The server could be
put back into normal service by rebooting it, but any work in progress at
the time of the attack would be lost.

It would not be necessary for an attacker to be able to start a session
with an affected server in order to exploit this vulnerability - the only
prerequisite would be the need to be able to send the correct series of
packets to the RDP port on the server.

DETAILS

Affected Software:
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

Mitigating factors:
 * There is no capability to breach the security of a terminal server
session via this vulnerability, or to add, change or delete data on the
server. It is a denial of service vulnerability only.
 * The specific sequence of data packets involved in this vulnerability
cannot be generated as part of a legitimate terminal server session.

Patch availability:
Download locations for this patch
 * Windows NT Server 4.0, Terminal Server Edition:
The patch has been temporarily removed, but will be available again
shortly.
 * Windows 2000 Server and Advanced Server:
The patch has been temporarily removed, but will be available again
shortly.
 * Microsoft Windows 2000 Datacenter Server:
Patches for Windows 2000 Datacenter Server is hardware-specific and
available from the original equipment manufacturer.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker could use this
vulnerability to cause a Windows NT 4.0 or Windows 2000 terminal server to
fail. The server could be restarted without incident, but any work that
was in progress at the time of the failure would be lost.

What causes the vulnerability?
The vulnerability occurs because Windows NT Server 4.0, Terminal Server
Edition, and Terminal Services in Windows 2000 fail when they receive a
particular series of packets via a Remote Desktop Protocol connection.

What's Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is the protocol that Windows terminal
servers and clients use to communicate with each other. Clients use it to
send keystroke and mouse-click information to the server and the server
uses it to send display information to the clients.

What could an attacker do via this vulnerability?
By sending a particular sequence of packets to the port associated with
RDP on an affected server, an attacker could cause the server to fail.
This would require the server operator to reboot the machine in order to
restore normal service.

Would this have any effect on the clients?
It would cause the terminal sessions to be severed, with the loss of any
unsaved data. However, it could not be used to directly attack terminal
server clients.

Would the attacker need to be able to establish a terminal server session
in order to exploit this vulnerability?
No. The attacker would only need to send the correct set of packets to the
correct port.

Could the attacker hijack another user's existing terminal server session
via this vulnerability?
No. The vulnerability would only enable an attacker to disrupt a session,
not to create one or intercept one.

Could a user inadvertently cause the server to fail via a terminal server
session?
No. The specific series of packets needed to cause the server to fail
cannot be generated as part of a normal terminal server session.

I have Windows NT 4.0 and Window 2000 servers, but they are not terminal
servers. Could I be affected by this vulnerability?
Only one version of Windows NT 4.0 - Windows NT 4.0 Server, Terminal
Server Edition - can be configured to serve as a terminal server. All
systems running this version are affected; no systems running any other
version of Windows NT 4.0 are affected.

All Windows 2000 server products can be configured to provide terminal
services, but terminal service is not installed or running by default in
any of them. Only Windows 2000 systems that have been configured to
provide terminal services are affected.

Who should use the patch?
Microsoft recommends that customers running Windows NT 4.0 or Windows 2000
terminal servers install the patch.

What does the patch do?
The patch eliminates the vulnerability by allowing the terminal server
service to correctly handle RDP data with the malformation at issue here.

ADDITIONAL INFORMATION

The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter # 150
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #139
    ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
    (Focus-Microsoft)
  • [NT] Vulnerability in WINS Allows Remote Code Execution (MS04-045, Name Validation, Association Cont
    ... * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ... A remote code execution vulnerability exists in WINS because of the way ...
    (Securiteam)