Microsoft Security Bulletin MS01-006

Technical description:

The implementation of the Remote Data Protocol (RDP) in Windows 2000 Terminal Service does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost. It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability - he would only need the ability to send the correct series of packets to the RDP port on the server.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0014 

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker could use this vulnerability to cause a Windows 2000 terminal server to fail. The server could be restarted without incident, but any work that was in progress at the time of the failure would be lost.

What causes the vulnerability?
The vulnerability occurs because Terminal Services in Windows 2000 does not correctly handle a particular series of packets, when they are received via a Remote Desktop Protocol connection.

What's Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is the protocol that Windows terminal servers and clients use to communicate with each other. Clients use it to send keystroke and mouse-click information to the server, and the server uses it to send display information to the clients.

What could an attacker do via this vulnerability?
By sending a particular sequence of packets to the port associated with RDP on an affected server, an attacker could cause the server to fail. This would require the server operator to reboot the machine in order to restore normal service.

Would this have any effect on the clients?
It would cause the terminal sessions to be severed, with the loss of any unsaved data. However, it could not be used to directly attack terminal server clients.

Would the attacker need to be able to establish a terminal session in order to exploit this vulnerability?
No. He would only need to send the correct set of packets to the correct port.

Could a user inadvertently cause the server to fail via a terminal server session?
No. The specific series of packets needed to cause the server to fail cannot be generated as part of a normal terminal server session.

Does this vulnerability affect Windows NT 4.0 terminal servers?
No. It only affects Windows 2000 terminal servers.

I have Windows 2000 servers, but they aren't terminal servers. Could I be affected by this vulnerability?
The vulnerability lies in the Terminal Service for Windows 2000, so unless you've configured your server to act as a terminal server, it would not be vulnerable.

Who should use the patch?
Microsoft recommends that customers running Windows 2000 terminal servers install the patch.

What does the patch do?
The patch eliminates the vulnerability by allowing the Terminal Services service to correctly handle the data at issue here.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Windows 2000 Gold and Service Pack 1.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 2.

Verifying patch installation: 

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\Q286132.
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP1\Q286132\Filelist

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section