Microsoft Windows Terminal Server MSGINA.DLL Flaw Lets Remote Authenticated Users Reboot the Server
SecurityTracker Alert ID: 1005986|
SecurityTracker URL: http://securitytracker.com/id/1005986
(Links to External Site)
Updated: Jun 15 2008|
Original Entry Date: Jan 24 2003
Denial of service via network|
Exploit Included: Yes |
Version(s): Windows 2000 Terminal Server, Windows XP|
A denial of service vulnerability was reported in the Windows Terminal Server in the Microsoft Graphical Identification and Authentication DLL (MSGINA.DLL). A remote authenticated user can cause the system to reboot.|
It is reported that a remote authenticated user that can access a Windows Terminal Server via RDP or ICA and access the filesystem can cause the server to restart.
The remote authenticated user can place a read lock on the %SYSTEMROOT%\SYSTEM32\MSGINA.DLL file and then open a new connection to the server via RDP or ICA to trigger a warning dialog ("msgina.dll failed to load"). The warning dialog reportedly allows the remote authenticated user to click a "Restart" button to cause the server to reboot.
According to this report, Windows 2000 Terminal Server is affected. Another user has reported that Windows XP is also affected.
The vendor has reportedly been notified.
A remote authenticated user with access to the filesystem can cause the server to reboot.|
No solution was available at the time of this entry.|
The author of the report indicats that, as a workaround, you may be able to remove all permissions from MSGINA.DLL for "Power Users", "Users" and "Everyone".
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
Configuration error, State error|
Source Message Contents
Subject: DoS attack on Windows 2000 Terminal Server|
This one's short and simple..
Any user with sufficient permission to log on to a Windows 2000 Terminal
Server (via RDP or ICA) and access its filesystem can reboot the server
- Open %SYSTEMROOT%\SYSTEM32\MSGINA.DLL for exclusive access (read lock).
I used Radsoft's HEXVIEW.EXE from Rix2K to do this.
- Open a new connection to the server via RDP/ICA
- Click the nice, helpful "Restart" button in the warning dialog that
appears ("msgina.dll failed to load")
Tested on Windows 2000 Server (IE55, SP2) and Windows 2000 Server (IE55,
SP3). I do not have easy access to other platforms at the moment.
- Remove all permissions from MSGINA.DLL for "Power Users", "Users" and
Note: The above workaround has been tested on Windows 2000 Server (IE55,
SP2) and users were still able to log in as normal. I am not aware of a
need for MSGINA.DLL to be accessible by normal users, but if there are
any such circumstances Microsoft will need to produce an alternative fix.
Contacted on 16/01/2003. Replied to my email the next day requesting
additional time to investigate. No further replies since 17/01/2003.
Thanks to PPH for the use of a Windows 2000 Server IE55,SP2 machine!