Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Microsoft Security Bulletin MS01-052 - Moderate

Invalid RDP Data can Cause Terminal Service Failure

Published: October 18, 2001 | Updated: May 11, 2004

Version: 3.0

Originally posted: October 18, 2001
Updated: May 11, 2004

Summary

Who should read this bulletin:
System administrators who operate terminal servers using either Microsoft® Windows NT® 4.0 or Windows® 2000.

Impact of vulnerability:
Denial of service

Maximum risk rating:
Moderate

Recommendation:
Apply patch to all Windows NT 4.0 or Windows 2000 terminal servers.

Affected Software:

  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

General Information

Technical description:

Microsoft updated this bulletin on May 11, 2004 to advise on the availability of a revised version of the Windows NT Server 4.0 Terminal Server Edition security update. The updated version of this security update addresses a security vulnerability that could occur with the original release that could allow an attacker to attempt a denial of service attack against Windows NT Server 4.0 Terminal Server Edition systems. Customers need to install the revised update even if they installed the prior version. This issue does not affect other operating systems. If you have previously applied the security updates for other operating systems, this revised update does not need to be installed.

On October 18, 2001 Microsoft released the original version of this bulletin. On October 19, 2001, an issue was identified with the Windows 2000 patch. The patch was withdrawn so that it could be updated and re-released. On October 22, 2001 the updated patch and bulletin were posted.

We recommend that customers who installed the original version of the Windows 2000 patch install the updated version.

The implementation of the Remote Data Protocol (RDP) in the terminal service in Windows NT 4.0 and Windows 2000 does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost.

It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability - the only prerequisite would be the need to be able to send the correct series of packets to the RDP port on the server.

Mitigating factors:

  • There is no capability to breach the security of a terminal server session via this vulnerability, or to add, change or delete data on the server. It is a denial of service vulnerability only.
  • The specific sequence of data packets involved in this vulnerability cannot be generated as part of a legitimate terminal server session.

Risk Rating:

Internet SystemsIntranet SystemsClient Systems
Windows NT 4.0LowModerateNone
Windows 2000 LowModerateNone

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Only terminal servers -- which are typically deployed as intranet rather Internet servers -- are at risk from the vulnerability, and it poses a denial of service threat at worst.

Vulnerability identifier: CAN-2001-0663

Tested Versions:

Microsoft tested Windows 2000 and Windows NT 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why was this bulletin updated?
Microsoft updated this bulletin on May 11, 2004 to advise on the availability of a revised version of the Windows NT Server 4.0 Terminal Server Edition security update. The updated version of this security update addresses a security vulnerability that could occur with the original release that could allow an attacker to attempt a denial of service attack against Windows NT Server 4.0 Terminal Server Edition systems. Customers need to install the revised update even if they installed the prior version. This issue does not affect other operating systems. If you have previously applied the security updates for other operating systems, this revised update does not need to be installed.

On October 18, 2001 Microsoft released the original version of this bulletin. On October 19, 2001, an issue was identified with the Windows 2000 patch. The patch was withdrawn so that it could be updated and re-released. On October 22, 2001 the updated patch and bulletin were posted.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker could use this vulnerability to cause a Windows NT 4.0 or Windows 2000 terminal server to fail. The server could be restarted without incident, but any work that was in progress at the time of the failure would be lost.

What causes the vulnerability?
The vulnerability occurs because Windows NT Server 4.0, Terminal Server Edition, and Terminal Services in Windows 2000 fail when they receive a particular series of packets via a Remote Desktop Protocol connection.

What's Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is the protocol that Windows terminal servers and clients use to communicate with each other. Clients use it to send keystroke and mouse-click information to the server, and the server uses it to send display information to the clients.

What could an attacker do via this vulnerability?
By sending a particular sequence of packets to the port associated with RDP on an affected server, an attacker could cause the server to fail. This would require the server operator to reboot the machine in order to restore normal service.

Would this have any effect on the clients?
It would cause the terminal sessions to be severed, with the loss of any unsaved data. However, it could not be used to directly attack terminal server clients.

Would the attacker need to be able to establish a terminal server session in order to exploit this vulnerability?
No. The attacker would only need to send the correct set of packets to the correct port.

Could the attacker hijack another user's existing terminal server session via this vulnerability?
No. The vulnerability would only enable an attacker to disrupt a session, not to create one or intercept one.

Could a user inadvertently cause the server to fail via a terminal server session?
No. The specific series of packets needed to cause the server to fail cannot be generated as part of a normal terminal server session.

I have Windows NT 4.0 and Window 2000 servers, but they aren't terminal servers. Could I be affected by this vulnerability?

  • Only one version of Windows NT 4.0 - Windows NT 4.0 Server, Terminal Server Edition - can be configured to serve as a terminal server. All systems running this version are affected; no systems running any other version of Windows NT 4.0 are affected.
  • All Windows 2000 server products can be configured to provide terminal services, but terminal service is not installed or running by default in any of them. Only Windows 2000 systems that have been configured to provide terminal services are affected.

Who should use the patch?
Microsoft recommends that customers running Windows NT 4.0 or Windows 2000 terminal servers install the patch.

What does the patch do?
The patch eliminates the vulnerability by allowing the terminal server service to correctly handle RDP data with the malformation at issue here.

I've installed earlier versions of the Windows 2000 security update, do I need to install any new security updates?
No. The Windows 2000 security updates are not being revised. If you have previously applied the security updates for Windows 2000, this revised update does not need to be installed. This vulnerability did not affect Windows NT Server 4.0 or Windows NT Workstation 4.0

I installed the Windows NT Server 4.0 Terminal Server Edition version of the update that was originally released, do I need to install the new version of the update?
Yes. Microsoft updated this bulletin on May 11, 2004 to advise on the availability of a revised version of the Windows NT Server 4.0 Terminal Server Edition security update. Customer need to install the revised update even if they installed the prior version. This issue does not affect other operating systems. If you have previously applied the security updates for other operating systems, this revised update does not need to be installed.

Download locations for this patch

Additional information about this patch

Installation platforms:

  • The Windows NT 4.0 patch can be installed on systems running Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
  • The Windows 2000 patch can be installed on systems running Service Pack 1 or Service Pack 2.

Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches:

The Windows 2000 patch supersedes the one provided in Microsoft Security Bulletin MS01-006.

Verifying patch installation: Microsoft Windows NT Server 4.0, Terminal Server Edition:

  • You may also be able to verify the files that this security update has installed by reviewing the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB307454\File 1

  • To verify the individual files, consult the file manifest in Knowledge Base article q307454.

Microsoft Windows 2000:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\q307454.

  • To verify the individual files, use the date/time and version information provided in the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\q307454\Filelist

Caveats:

Even after applying the patch, a terminal server that is attacked via this vulnerability will log the following message in the event log:

Event:50 The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Source: Termdd"

On patched systems, this error message is incorrect, as the patch will prevent the client from being disconnected

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks  Luciano Martins of Deloitte & Touche Argentina (http://www.deloitte.com.ar) for reporting this issue to us and working with us to protect customers. Microsoft also thanks Neil Begin of FSC Internet Corp. (http://www.fscinternet.com) for working with us on the issued addressed with the 3.0 update of this security bulletin.

Support:

  • Microsoft Knowledge Base article q307454 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (October 18, 2001): Bulletin Created.
  • V2.0 (October 22, 2001): Bulletin updated to advise customers that the version of the Windows 2000 patch released on October 18, 2001, contained an error that has been corrected.
  • V2.1 (June 13, 2003): Updated download links to Windows Update.
  • V3.0 (May 11, 2004): Microsoft has released a revised version of the Windows NT Server 4.0 Terminal Server Edition security update.

Built at 2014-04-18T13:49:36Z-07:00

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.