[THIN] FYI: Microsoft Windows Remote Desktop Protocol service input validation vulnerability

From US Cert
JK
Vulnerability Note VU#490628Microsoft Windows Remote Desktop Protocol service 
input validation vulnerabilityOverview
http://www.kb.cert.org/vuls/id/490628
An input validation error in the Microsoft Remote Desktop Protocol (RDP) 
service may allow a remote attacker to cause a denial-of-service condition. 
I. DescriptionMicrosoft describes the Remote Desktop Protocol (RDP) as follows. 
RDP is based on, and is an extension of, the T.120 protocol family standards. 
It is a multichannel-capable protocol that allows for separate virtual channels 
for carrying device communication and presentation data from the server, as 
well as encrypted client mouse and keyboard data.


The Microsoft RDP service contains an input validation error that can be 
exploited to cause a denial-of-service condition. A remote attacker may be able 
to exploit this vulnerability by sending a system running the RDP service a 
specially crafted message on port 3389/tcp. Note note that the Microsoft 
Firewall will allow RDP traffic to enter a system by default. 

The RDP service is not enabled by default on Microsoft Windows, but may be 
enabled if the following components are installed and running: 

      Microsoft Terminal Services 
      Microsoft Remote Desktop 
      Microsoft Remote Assistance 
      Windows Small Business Server 2003 Remote Web Workplace


Note that exploit code for this vulnerability is publicly available. For more 
information regarding this issue, please refer to MS05-041.
II. ImpactThis vulnerability allows unauthorized, remote attackers to crash a 
system running the RDP service resulting in a denial-of-service condition. III. 
SolutionApply An Update 
Microsoft has addressed this issue in Microsoft Security Bulletin MS05-041.

Microsoft recommends the following workarounds. While these workarounds will 
not correct the underlying vulnerability, they help block known attack vectors. 

Disable Terminal Services, Remote Desktop, Remote Assistance, and Windows Small 
Business Server 2003 Remote Web Workplace feature. 
Disabling Terminal Services, Remote Desktop, Remote Assistance, and Windows 
Small Business Server 2003 Remote Web Workplace may reduce the risk of 
exploitation. 
Block port 3389/tcp at the perimeter:

Port 3389/tcp is the port used by RDP. Blocking access to this port from 
untrusted sources may reduce the risk of exploitation. It may also be necessary 
to block port 4125/tcp which is used by Windows Small Business Server 2003 for 
RDP connections. Systems AffectedVendorStatusDate UpdatedMicrosoft 
CorporationVulnerable9-Aug-2005References

http://www.microsoft.com/technet/security/advisory/904797.mspx
http://www.microsoft.com/windowsxp/using/helpandsupport/rafaq-technical.mspx
http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prmb_tol_drft.asp
http://security-protocols.com/modules.php?name=News&file=article&sid=2852
http://secunia.com/advisories/16071/
http://securitytracker.com/alerts/2005/Jul/1014498.html
http://www.microsoft.com/technet/security/bulletin/MS05-041.mspx Credit
This vulnerability was reported in Microsoft Security Bulletin MS05-041. 
Microsoft credits Tom Ferris of Security Protocols for providing information 
regarding this vulnerability. 
This document was written by Jeff Gennari and Will Dorman Other InformationDate 
Public07/14/2005Date First Published08/09/2005 03:58:15 PMDate Last 
Updated08/10/2005CERT Advisory CVE NameCAN-2005-1218Metric16.12Document 
Revision62

Other related posts:

  • » [THIN] FYI: Microsoft Windows Remote Desktop Protocol service input validation vulnerability