Security Bulletin

Microsoft Security Bulletin MS01-040 - Important

Invalid RDP Data Can Cause Memory Leak in Terminal Services

Published: July 25, 2001 | Updated: June 13, 2003

Version: 1.1

Originally posted: July 25, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin:
System administrators using Microsoft® Windows® 2000 and Windows NT 4.0 Terminal servers.

Impact of vulnerability:
Denial of service

Recommendation:
System administrators should consider installing the patch.

Affected Software:

• Microsoft Windows NT 4.0, Terminal Server Edition
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server

General Information

Technical details

Technical description:

The Windows 2000 Terminal Service and Windows NT 4.0 Terminal Server Edition contains a memory leak in one of the functions that processes incoming Remote Data Protocol data via port 3389. Each time an RDP packet containing a specific type of malformation is processed, the memory leak depletes overall server memory by a small amount.

If an attacker sent a sufficiently large quantity of such data to an affected machine, he could deplete the machine's memory to the point where response time would be slowed or the machine's ability to respond would be stopped altogether. All system services would be affected, including but not limited to terminal services. Normal operation could be restored by rebooting the machine.

Mitigating factors:

• Normal firewalling could be used to prevent an attacker from exploiting this vulnerability from the Internet. Specifically, blocking port 3389 would prevent an attacker from delivering data to the affected service, thereby preventing him from exploiting the vulnerability.
• There is no capability to compromise data or usurp privileges via the vulnerability.

Vulnerability identifier: CAN-2001-0540

Tested Versions:

Microsoft tested Windows 2000 and Windows NT 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a large quantity of malformed data to an affected terminal server, an attacker could disrupt any active sessions in effect on the server, and prevent the server from starting any new ones. The vulnerability would not enable an attacker to compromise any data on the server, or to usurp any privileges on the machine. The administrator of an affected machine could restore normal service by rebooting the machine.

What causes the vulnerability?
The vulnerability results because of a memory leak in the Windows 2000 Terminal Server service. If a sufficient quantity of data packets containing a particular malformation were received, it could deplete the available memory to the point where the server would be incapable of performing useful work.

What's a memory leak?
A memory leak is an implementation error that depletes the available memory on a system. As a process on a computer runs, it may need more or less memory, depending on exactly what it is doing from one minute to the next. When the process needs more memory, it requests it from the operating system; when it no longer needs the additional memory, it should return it to the operating system so it can be allocated to other processes. If a process doesn't correctly return memory to the operating system, the memory remains assigned to the process even though the process is no longer using it, and the memory can't be re-allocated. This effectively makes the block of memory unavailable. In this case, the Windows 2000 service that supports terminal server sessions has an implementation error that results in a memory leak when certain invalid data is sent to it.

How much memory is leaked each time the data at issue is received?
The leak here is relatively small - the server would need to receive a very large number of packets before its memory would be depleted to the point where its performance could be affected.

What could an attacker do via this vulnerability?
An attacker could deliberately send a large number of the malformed data packets in order to deplete the server's available memory. By doing this, he could prevent the server from performing useful work.

Would the attacker need to be able to log in via terminal services in order to exploit the vulnerability?
No. The attacker would need the ability to send data to terminal services, but wouldn't need to be able to authenticate to the machine.

Would a successful attack via this vulnerability only disrupt terminal server sessions, or would other services on the system be affected as well?
Because the vulnerability depletes the memory pool that all services on the machine use, a successful attack via the vulnerability would affect the operation of all services on the machine, not just the terminal services. So, for instance, if the machine also hosted shared files, users might be unable to access them after the machine had been attacked.

Would this vulnerability enable the attacker to gain any privileges on the machine?
No. The sole effect of a successful attack via this vulnerability would be to deny service to legitimate users.

How could an affected server be put back into service?
The server administrator would need to reboot an affected machine to return it to normal service.

I haven't enabled Terminal Services on my Windows 2000 machine. Do I need to take any action?
No. The flaw lies within Terminal Services, so if Terminal Services is not enabled, the vulnerability can't be exploited.

Could this vulnerability be exploited remotely?
If the attacker could deliver packets to an affected machine, he could exploit the vulnerability. However, if normal firewalling is in effect, the port used by terminal services (port 3389) will be blocked. This would prevent Internet users from exploiting the vulnerability.

I have a Windows NT 4.0 terminal server. Could I be affected by the vulnerability?
Yes. The vulnerability affects Windows NT 4.0 terminal servers.

What does the patch do?
The patch eliminates the vulnerability by causing the Windows 2000 terminal services to properly deallocate memory after processing the request at issue here.

Patch availability

Download locations for this patch

• Microsoft Windows NT 4.0, Terminal Server Edition:
  https://www.microsoft.com/download/details.aspx?FamilyId=5CBF406A-E8C8-4EFB-8BBA-BC9784B0CCC5&displaylang;=en

• Microsoft Windows 2000:
  https://www.microsoft.com/download/details.aspx?FamilyId=E3E46A58-17F5-4793-AE0A-61E18DF6134C&displaylang;=en

• Microsoft Windows 2000 Datacenter Server:
  Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.

Additional information about this patch

Installation platforms:

• The Windows NT 4.0 patch can be installed on systems with Windows NT 4.0 TSE Service Pack 6.
• The Windows 2000 patch can be installed on systems with Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

• Windows NT 4.0, Terminal Server Edition:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q292435

• Windows 2000:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q292435.

  • To verify the individual files, use the date/time and version information provided in the following registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q292435\Filelist

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Peter Grundl for reporting this issue to us and working with us to protect customers.

Support:

• Microsoft Knowledge Base article Q292435 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (July 25, 2001): Bulletin Created.
• V1.1 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00