News

Microsoft Patches Denial of Service Vulnerability

• By Stephen Swoyer
• 10/19/2001

The vulnerability affects systems running Windows NT 4.0 Terminal Server Edition as well as Windows 2000 Server and Windows 2000 Advanced Server, both of which incorporate integrated Terminal Services.

Like a lot of the other bugs that the software giant has recently patched, the new vulnerability can be exploited by means of a particular arrangement of malformed data. According to Russ Cooper, editor of the Windows NT Bugtraq mailing list and a security analyst with TruSecure Corp., Microsoft products have historically demonstrated a susceptibility to malformed data attacks, in particular.

“It is an unfortunate recurrence of something that Microsoft has not been able to get a handle on yet, which is that their server products do not respond well to mal-formed data,” he comments. “We’ve had problems like this in the past with RPC and [with] practically anything that listens.”

In a bulletin that it distributed to the members of its security mailing list, Microsoft acknowledged that an attacker who sends a particular kind of malformed data to a port associated with its multi-user terminal services component could perpetrate a DoS attack against Windows NT 4.0 and Windows 2000 systems. Microsoft’s terminal services component leverages a protocol, dubbed the Remote Data Protocol (RDP), which by default listens for requests on port 3389.

Thursday night, the hotfixes that Microsoft made available to patch the new terminal services vulnerability were removed and replaced with a message which read: “This patch has been temporarily removed, but will be available again shortly.”

The software giant cautions that an attacker does not have to successfully log onto a Windows server in order to take it down; instead, she has only to bombard port 3389 with malformed RDP packets, causing the server to fail. In order to restore a server to normal operation, Microsoft allows, an administrator would have to reboot it. Any unsaved work -- or unsaved data associated with applications running on the server at the time -- would be lost.

According to Microsoft’s new security bulletin rating system, the new terminal services vulnerability merits a “low” mark for Internet and a “moderate” grade for intranet susceptibilities. Microsoft claims that IT organizations can safeguard against the possibility of attack from without by blocking external traffic bound for port 3389 on their firewalls or routers. To do so, however, would also restrict the ability of legitimate users outside of an organization – such as remote or telecommuting workers – to access terminal services.

As was the case with a previous terminal services vulnerability, the new bug could potentially affect a large number of Windows 2000 systems. Because an IT organization can configure Windows 2000 Server and Windows 2000 Advanced Server to operate in so-called “Remote Administration” mode, it’s conceivable that systems that aren’t strictly deployed as terminal servers, but which are nonetheless configured to support limited terminal services for the purposes of remote administration, could be affected, as well.

NT Bugtraq’s Cooper expects that we’ll probably continue to see DoS and other attacks that exploit malformed data vulnerabilities. “You could have a system set up and listening for garbage until the cows come home, and you still would not have seen all of the garbage that could be sent to it,” he says.