Microsoft Security Bulletin MS01-040

Technical description:

The Windows 2000 Terminal Service and Windows NT 4.0 Terminal Server Edition contains a memory leak in one of the functions that processes incoming Remote Data Protocol data via port 3389. Each time an RDP packet containing a specific type of malformation is processed, the memory leak depletes overall server memory by a small amount.

If an attacker sent a sufficiently large quantity of such data to an affected machine, he could deplete the machine's memory to the point where response time would be slowed or the machine's ability to respond would be stopped altogether. All system services would be affected, including but not limited to terminal services. Normal operation could be restored by rebooting the machine.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0540 

Tested Versions:

Microsoft tested Windows 2000 and Windows NT 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a large quantity of malformed data to an affected terminal server, an attacker could disrupt any active sessions in effect on the server, and prevent the server from starting any new ones.
The vulnerability would not enable an attacker to compromise any data on the server, or to usurp any privileges on the machine. The administrator of an affected machine could restore normal service by rebooting the machine.

What causes the vulnerability?
The vulnerability results because of a memory leak in the Windows 2000 Terminal Server service. If a sufficient quantity of data packets containing a particular malformation were received, it could deplete the available memory to the point where the server would be incapable of performing useful work.

What's a memory leak?
A memory leak is an implementation error that depletes the available memory on a system. As a process on a computer runs, it may need more or less memory, depending on exactly what it is doing from one minute to the next. When the process needs more memory, it requests it from the operating system; when it no longer needs the additional memory, it should return it to the operating system so it can be allocated to other processes.
If a process doesn't correctly return memory to the operating system, the memory remains assigned to the process even though the process is no longer using it, and the memory can't be re-allocated. This effectively makes the block of memory unavailable. In this case, the Windows 2000 service that supports terminal server sessions has an implementation error that results in a memory leak when certain invalid data is sent to it.

How much memory is leaked each time the data at issue is received?
The leak here is relatively small - the server would need to receive a very large number of packets before its memory would be depleted to the point where its performance could be affected.

What could an attacker do via this vulnerability?
An attacker could deliberately send a large number of the malformed data packets in order to deplete the server's available memory. By doing this, he could prevent the server from performing useful work.

Would the attacker need to be able to log in via terminal services in order to exploit the vulnerability?
No. The attacker would need the ability to send data to terminal services, but wouldn't need to be able to authenticate to the machine.

Would a successful attack via this vulnerability only disrupt terminal server sessions, or would other services on the system be affected as well?
Because the vulnerability depletes the memory pool that all services on the machine use, a successful attack via the vulnerability would affect the operation of all services on the machine, not just the terminal services. So, for instance, if the machine also hosted shared files, users might be unable to access them after the machine had been attacked.

Would this vulnerability enable the attacker to gain any privileges on the machine?
No. The sole effect of a successful attack via this vulnerability would be to deny service to legitimate users.

How could an affected server be put back into service?
The server administrator would need to reboot an affected machine to return it to normal service.

I haven't enabled Terminal Services on my Windows 2000 machine. Do I need to take any action?
No. The flaw lies within Terminal Services, so if Terminal Services is not enabled, the vulnerability can't be exploited.

Could this vulnerability be exploited remotely?
If the attacker could deliver packets to an affected machine, he could exploit the vulnerability. However, if normal firewalling is in effect, the port used by terminal services (port 3389) will be blocked. This would prevent Internet users from exploiting the vulnerability.

I have a Windows NT 4.0 terminal server. Could I be affected by the vulnerability?
Yes. The vulnerability affects Windows NT 4.0 terminal servers.

What does the patch do?
The patch eliminates the vulnerability by causing the Windows 2000 terminal services to properly deallocate memory after processing the request at issue here.

Download locations for this patch

Installation platforms:

•	The Windows NT 4.0 patch can be installed on systems with Windows NT 4.0 TSE Service Pack 6.
•	The Windows 2000 patch can be installed on systems with Windows 2000 Service Pack 1 or Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation: 

•

Windows NT 4.0, Terminal Server Edition: • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q292435

•

Windows 2000: • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q292435. • To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q292435\Filelist

Caveats:

None

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section