Microsoft Security Bulletin MS01-006 - Critical

Invalid RDP Data can cause Terminal Server Failure

Published: January 31, 2001 | Updated: July 10, 2003

Version: 1.1

Originally posted: January 31, 2001
Updated: July 10, 2003

Summary

Who should read this bulletin:
System administrators using Microsoft® Windows® 2000 terminal servers.

Impact of vulnerability:
Denial of service.

Recommendation:
Apply patch to all Windows 2000 terminal servers.

Affected Software:

• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server

General Information

Technical details

Technical description:

The implementation of the Remote Data Protocol (RDP) in Windows 2000 Terminal Service does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost. It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability - he would only need the ability to send the correct series of packets to the RDP port on the server.

Mitigating factors:

• There is no capability to breach the security of a terminal server session via this vulnerability, or to add, change or delete data on the server. It is a denial of service vulnerability only.
• The specific sequence of data packets involved in this vulnerability cannot be generated as part of a legitimate terminal server session.

Vulnerability identifier: CAN-2001-0014

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker could use this vulnerability to cause a Windows 2000 terminal server to fail. The server could be restarted without incident, but any work that was in progress at the time of the failure would be lost.

What causes the vulnerability?
The vulnerability occurs because Terminal Services in Windows 2000 does not correctly handle a particular series of packets, when they are received via a Remote Desktop Protocol connection.

What's Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is the protocol that Windows terminal servers and clients use to communicate with each other. Clients use it to send keystroke and mouse-click information to the server, and the server uses it to send display information to the clients.

What could an attacker do via this vulnerability?
By sending a particular sequence of packets to the port associated with RDP on an affected server, an attacker could cause the server to fail. This would require the server operator to reboot the machine in order to restore normal service.

Would this have any effect on the clients?
It would cause the terminal sessions to be severed, with the loss of any unsaved data. However, it could not be used to directly attack terminal server clients.

Would the attacker need to be able to establish a terminal session in order to exploit this vulnerability?
No. He would only need to send the correct set of packets to the correct port.

Could a user inadvertently cause the server to fail via a terminal server session?
No. The specific series of packets needed to cause the server to fail cannot be generated as part of a normal terminal server session.

Does this vulnerability affect Windows NT 4.0 terminal servers?
No. It only affects Windows 2000 terminal servers.

I have Windows 2000 servers, but they aren't terminal servers. Could I be affected by this vulnerability?
The vulnerability lies in the Terminal Service for Windows 2000, so unless you've configured your server to act as a terminal server, it would not be vulnerable.

Who should use the patch?
Microsoft recommends that customers running Windows 2000 terminal servers install the patch.

What does the patch do?
The patch eliminates the vulnerability by allowing the Terminal Services service to correctly handle the data at issue here.

Patch availability

Download locations for this patch

• Microsoft Windows 2000 Server and Advanced Server:

  https://www.microsoft.com/download/details.aspx?FamilyId=583C219C-5893-4889-96C0-59D354C6B7A7&displaylang;=en

• Microsoft Windows 2000 Datacenter Server:

  Patches for Windows 2000 Datacenter Server are hardware-specific and available from the original equipment manufacturer.

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Windows 2000 Gold and Service Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 2.

Verifying patch installation:

• To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\Q286132.

• To verify the individual files, use the date/time and version information provided in the following registry key:

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\Q286132\Filelist

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Yoichi Ubukata and Yoshihiro Kawabata for reporting this issue to us and working with us to protect customers.

Support:

• Microsoft Knowledge Base article Q286132 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (January 31, 2001): Bulletin Created.
• V1.1 (July 10, 2003): Corrected links to Windows Update in Additional Information.

Built at 2014-04-18T13:49:36Z-07:00