COMMAND

    RDP

SYSTEMS AFFECTED

    Windows 2000 Server and Windows NT 4.0, Terminal Server Edition

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS01-040.
    The  Windows  2000  Terminal  Service  and Windows NT 4.0 Terminal
    Server Edition  contains a  memory leak  in one  of the  functions
    that processes incoming Remote  Data Protocol data via  port 3389.
    Each  time   an  RDP   packet  containing   a  specific   type  of
    malformation  is  processed,  the  memory  leak  depletes  overall
    server memory by a small amount.

    If an attacker sent a sufficiently large quantity of such data  to
    an affected machine, he could deplete the machine's memory to  the
    point  where  response  time  would  be  slowed  or  the machine's
    ability  to  respond  would  be  stopped  altogether.   All system
    services would be affected, including but not limited to  terminal
    services.   Normal operation  could be  restored by  rebooting the
    machine.

    Normal  firewalling  could  be  used  to  prevent an attacker from
    exploiting this  vulnerability from  the Internet.   Specifically,
    blocking port 3389 would prevent an attacker from delivering  data
    to the  affected service,  thereby preventing  him from exploiting
    the vulnerability.

    There is no capability to compromise data or usurp privileges  via
    the vulnerability.

    Credit for finding this goes to Peter Grundl.

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin:

        http://www.microsoft.com/technet/security/bulletin/ms01-040.asp

    for information on obtaining this patch.