Follow:

Exploit:Win/MSIE.TSAC.RCE!CAN-2002-0726

Severity rating
Moderate

Class/Type
Exploit

Discovered date
2002-08-22T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

The Terminal Services Advanced Client (TSAC) ActiveX provides a way for Windows systems to run Terminal Services sessions within Internet Explorer. It provides nearly the same functionality as the full Terminal Services Client, but is designed to deliver this functionality over the Web. Through the control, users can establish terminal server sessions from suitably configured IIS servers.By default, IIS web sites don't offer access to terminal services enabled machines. When an administrator chooses to configure the site to provide them, he or she must download a hostable version of the control from the Microsoft web site and install it on the server. (In the case of Windows XP Professional, the hostable version of the control can also be obtained from the installation CD). Once this has been done, the server will download the control to any system that visits the web site, after which point the user can start terminal service sessions with the web site. The control contains an unchecked buffer. If called using a particular type of malformed input value, the buffer could be overrun. The effect would be, in essence, to change the functionality of the control and make it take new actions instead of those it's programmed to take



Impact

An attacker could use this vulnerability to gain control over another user's computer. Depending on exactly how the attacker overran the buffer, he or she could cause the control to take any desired action. Because the control operates in the context of the user , the attacker would be able to perform any action the user was able to perform.



Technical details (analysis)

The Terminal Services Advanced Client (TSAC) web control is an ActiveX control that can be used to run Terminal Services sessions within Internet Explorer. The downloadable ActiveX control provides nearly the same functionality as the full Terminal Services Client, but is designed to deliver this functionality over the Web. The TSAC control does not come installed as part of any Windows client system. Instead, clients obtain the control from web servers that offer terminal services. The configuration process that enables an IIS server to provide terminal services involves installing on the server a cabinet file containing the control. The server then delivers the cabinet file to any client system that needs it, and the client installs the control via the cabinet file. A security vulnerability results because the control contains an unchecked buffer in the code that processes one of the input parameters. By calling the control on a client system and overrunning the buffer, an attacker could gain the ability to run code in the security context of the currently logged on user. This would enable the attacker to take any desired action on the user's system.



Affected software

Microsoft Terminal Services Advanced Client (TSAC) ActiveX control, which can be installed on any Windows system.



Non-affected software

All applications not on the affected list.



References




Solutions




NIS signature

Name: Exploit:Win/MSIE.TSAC.RCE!CAN-2002-0726
Release Date: 2002-08-22T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

No known work-arounds at this time.