COMMAND

    Remote Data Protocol (RDP)

SYSTEMS AFFECTED

    Win2000 TSE

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS01-006.
    This has  been originally  found by  crediting Yoichi  Ubukata and
    Yoshihiro Kawabata.  Few specifics have been provided, however the
    bulletin states that a particular stream of packets could be  sent
    to any Windows 2000  machine **with Terminal Server  installed and
    running** which would cause the attacked machine to;
    - Sever all  connections with TS  clients, losing unsaved  data in
      the process
    - Cause the machine to hang, or possibly Blue Screen

    Should such an attack occur, the machine would need to be rebooted
    to restore operations.

    Its  important  to   note  that  no   session,  or   authenticated
    connection, is required to the  TS box to cause the  effects noted
    above.   If the  ports available,  it could  be DoS'd.   Microsoft
    state that a  TS Client could  not form the  attack packet stream,
    so it should only occur as a result of a deliberate attack.

    More information on RDP can be found at:

        http://www.microsoft.com/DirectAccess/Products/win2000.wks/desktop.asp>

    For further explanations of the issue, see:

        http://www.microsoft.com/technet/security/bulletin/ms01-005.asp

    Firstly,  most  machines  with  Terminal  Server  running will not
    expose TCP3389 directly  to the entire  Internet.  If  TS is being
    used for remote administration, access to the port should at least
    be ACL'd to restrict the connecting IP addresses.  While  spoofing
    is certainly possible, it makes the overall risk lower.

    Web Hosting sites  that provide TS  access to their  customers are
    more  at  risk  since  typically  their  customer's IP address are
    unknown or vary.   Such sites should  treat that vulnerability  as
    Medium and apply the patch immediately.

    So far there has been no publication of the specific packet stream
    which would cause the  DoS. Given the relatively  low availability
    of TS on the Internet, its unlikely to become an attack of choice.

    Most Windows  2000 Servers  are likely  to have  Terminal Services
    installed   and    running,   the    majority   being    run    in
    Administration-only  mode.  Of  those,  most  would  not  be  in a
    situation that will require immediate patching and could wait  for
    W2K SP2 instead.

SOLUTION

    Microsoft has released a patch  for a vulnerability in the  Remote
    Data  Protocol  (TCP3389)  implemented  in  Windows  2000 Terminal
    Services (does  not affect  NT 4.0  TSE).   For patch availability
    see the associated KB article,  it provides links to all  language
    versions currently available  (whereas the Security  Bulletin only
    provides a link to the English version of the patch):

        http://www.microsoft.com/technet/support/kb.asp?ID=286132