SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows Remote Desktop Protocol (RDP) Vendors:   Microsoft
(Microsoft Issues Fix) Microsoft Remote Desktop Protocol (RDP) Design Flaw May Disclose Information About the Unencrypted Data to Remote Users and May Let Data Be Modified During Transmission
SecurityTracker Alert ID:  1005257
SecurityTracker URL:  http://securitytracker.com/id/1005257
CVE Reference:   CVE-2002-0863   (Links to External Site)
Date:  Sep 19 2002
Impact:   Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): RDP 4.0, RDP 5.0
Description:   An access control and authentication vulnerability was reported in Microsoft's Remote Desktop Protocol (RDP), used by various Windows applications. A remote user with access to the encrypted data stream may determine information about the unencrypted data and can modify the stream without detection.

It is reported that RDP leaks information about the contents of encrypted packets due to a weakness in computing the checksums, as packets with the same plaintext have matching checksums. All versions of Windows using encrypted RDP are apparently affected.

In RDP 5.0, some common commands, including user input events, can reportedly be sent via special packets where only the key code and key event type (press, repeat, or release) is transmitted. In this case, a timestamp is not sent. As a result, the packet checksum is the same for each key event type for the same key. A remote user monitoring the encrypted packet stream can therefore determine when the same key has been pressed, even though the key itself is not disclosed. By monitoring a large amount of session data and performing an analysis of key patterns and frequencies within the session, a remote user could determine the actual keys pressed by the victim. This could be used to capture passwords.

Also, it is reported that RDP version 5.0 allows a remote user with access to the encrypted data stream to manipulate keystrokes sent via the network.

According to the report, if the victim presses "A" and the remote user wants to modify this to be a "B" key press, the remote user can obtain the desired cyphertext by XORing the "A" press plaintext and then XORing the "B" press plaintext. The packets can be substituted by switching the "A" press checksum with the "B" press checksum and replacing the cyphertext.

The vendor has reportedly been notified.

Impact:   A remote user that can monitor the encrypted RDP packet stream may be able to determine information about the unencrypted data. The user may also be able to modify keystrokes sent via the network.
Solution:   The vendor has released the following patches:

Windows 2000:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41326

Windows XP:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID= 41288

Windows XP 64 bit Edition:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID= 41314

Microsoft reports that the patch for Windows 2000 can be installed on systems running Windows 2000 SP2 or SP3. The patch for Windows XP can be installed on systems running Windows XP Gold. The vendor plans to include the fix in Windows 2000 SP4. The fix is already included Windows XP SP1.

Microsoft plans to issue Knowledge Base article Q324380 regarding this issue, to be available shortly on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto

[Editor's note: It appears that Microsoft refers to RDP as both the Remote Data Protocol and the Remote Desktop Protocol. However, it appears that both of these references relate to the same protocol.]

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-051.asp (Links to External Site)
Cause:   Access control error, Authentication error, Randomization error
Underlying OS:  Windows (Any)
Underlying OS Comments:  .NET Server is also affected

Message History:   This archive entry is a follow-up to the message listed below.
Sep 18 2002 Microsoft Remote Desktop Protocol (RDP) Design Flaw May Disclose Information About the Unencrypted Data to Remote Users and May Let Data Be Modified During Transmission



 Source Message Contents

Subject:  Microsoft Security Bulletin MS02-051: Cryptographic Flaw in RDP Protocol can Lead to Information Disclosure (Q324380)


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Cryptographic Flaw in RDP Protocol can Lead to 
            Information Disclosure (Q324380)
Released:   18 September 2002
Software:   Microsoft Windows 2000 
            Microsoft Windows XP
Impact:     Two vulnerabilities: information disclosure, denial of 
            service
Max Risk:   Moderate
Bulletin:   MS02-051

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-051.asp.
- ----------------------------------------------------------------------
Issue:
======
The Remote Data Protocol (RDP) provides the means by which Windows 
systems can provide remote terminal sessions to clients. The protocol
transmits information regarding a terminal sessions' keyboard, mouse
and video to the remote client, and is used by Terminal Services in
Windows NT 4.0 and Windows 2000, and by Remote Desktop in Windows XP.
Two security vulnerabilities, both of which are eliminated by this 
patch, have been discovered in various RDP implementations. 

The first involves how session encryption is implemented in certain
versions of RDP. All RDP implementations allow the data in an RDP 
session to be encrypted. However, in the versions in Windows 2000 and
Windows XP, the checksums of the plaintext session data are sent
without being encrypted themselves. An attacker who was able to
eavesdrop on and record an RDP session could conduct a straight-
forward cryptanalytic attack against the checksums and recover 
the session traffic. 

The second involves how the RDP implementation in Windows XP handles
data packets that are malformed in a particular way. Upon receiving
such packets, the Remote Desktop service would fail, and with it
would fail the operating system. It would not be necessary for an 
attacker to authenticate to an affected system in order to deliver
packets of this type to an affected system.

Mitigating Factors:
====================
Cryptographic Flaw in RDP Protocol: 
- - An attacker would need the ability to capture an RDP session in 
  order to exploit this vulnerability. In most cases, this would re-
  quire that the attacker have physical access to the network media. 
- - Because encryption keys are negotiated on a per-session basis, a 
  successful attack would allow an attacker to decrypt only a single
  session and not multiple sessions. Thus, the attacker would need to
  conduct a separate cryptanalytic attack against each session he or
  she wished to compromise. 

Denial of Service in Remote Desktop: 
- - Remote Desktop service in Windows XP is not enabled by default. 
- - Even if Remote Desktop service were enabled, a successful attack 
  would require that the attacker be able to deliver packets to the 
  Remote Desktop port on an affected system. Customers who block port
  3389 at the firewall would be protected against attempts to exploit
  this vulnerability. (By default Internet Connection Firewall does 
  block port 3389).

Maximum Risk Rating:
====================
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: Moderate

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-051.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY 
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN 
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPYj4Qo0ZSRQxA/UrAQGwjgf/R2clh7I4tA+v9gHq3It1ZCkiVb32bgS1
KcId2B0dXdBfobEPLidKwra+jFKVBNYilUEi7jA5OHsJ9tdr48blaKMp9UrvsQeL
/ea7yWnKJ/gRBGK+Qaxx2pgoVl8AVFGwd3rDzZQ43vRBMQmfNQAAqd9Y2dCr6Sro
2iIq19By+0OZYxqBuCRjPOif7w7ViIGsUyk2vXp6GJCTMOtDZWSCedGEYCrJ7que
xud9dwezKkzGhjsmuqSFIoysBd2LsTMvkgTMMcwpVCwewvqQm+McdpXcv6rEBrEp
NLoiqUwlp/27vP3OeEC6/qWPi/cxoarAyRnJ3YYZ7BXL4NLQXXzcbw==
=wabA
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Send an email to unsubscribe to the Service by following these steps: 
a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to process the subscription request,
 and can be anything you like. 
b. Send the e-mail. 
c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK"
 in the message body. (Without the quotes). Send the reply. 
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC