eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Resources

Microsoft RDP DoS Information

Date:
7/21/2005 12:00:00 AM

Severity:
Moderate

Affected Software:
All versions of Windows (including Windows XP SP2) if the RDP service is enabled.

Overview:
eEye Digital Security researchers did not discover this vulnerability, but the researcher who did has consulted with eEye and has provided some additional details about this issue to help us confirm the analysis and assess the risk that it poses. Without going into complete details on this issue, we will explain the already public details and dispel some misconceptions reported by the media.

The first misconception was reported last week. Some known security experts were quoted saying that there is a high likelihood that this vulnerability can be exploited to run arbitrary code on the target systems. This is completely false. The Microsoft analysis on this bug is, in this case, 100% correct and the potential result of a successful exploit is nothing more severe than a DoS. Once details are released, the eEye research team may explain the technical reasons behind why this flaw does not lead to an opportunity to execute arbitrary commands, and offer a look at the exact code behind the vulnerability.

Because there is no opportunity to run arbitrary code, this also removes the possibility for this flaw to be used in a worm attack. As far as attack scenarios go, this vulnerability can be utilized in a Denial of Service (DoS) attack or a blended attack where the attacker requires the ability to force a remote system to reboot. Causing a DoS on a target system would force either an automatic or manual reboot to be required, depending on the target system's configuration.

So what exactly is this vulnerability? This question is difficult to answer without discussing information that is not already public knowledge. A specific driver, RDPWD.SYS, is present on Windows 2000, Windows 2003, and Windows XP. All versions of Windows including Windows XP SP2 are vulnerable, but as mentioned above, only if the RDP service is enabled.

Technical Analysis:

Detection:
Users of eEye's Retina® Network Security Scanner software can scan their networks for systems with RDP enabled, allowing for quick identification of systems that are at risk.

Prevention:
Users of eEye's Blink® End-Point Vulnerability Prevention software do not need to lose a minute of sleep over this issue, as Blink has been confirmed to be the only end-point solution to already offer protection for this vulnerability. Blink not only stops a DoS due to this vulnerability from succeeding, it allows organizations to continue to use RDP for their business needs.

Links:
Microsoft Security Alert

Copyright ©1998-2010 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Next Steps

Free Trial
Test drive an eEye product
On-demand Demo
See an online product tour
One-on-one Demo
Schedule a personalized tour
Compare Products
See side-by-side features
Buy Now
Go to eEye product store
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2011 eEye Digital Security. All rights reserved.