SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Microsoft Graphical Identification and Authentication DLL (MSGINA.DLL) Vendors:   Microsoft
Microsoft Windows Terminal Server MSGINA.DLL Flaw Lets Remote Authenticated Users Reboot the Server
SecurityTracker Alert ID:  1005986
SecurityTracker URL:  http://securitytracker.com/id/1005986
CVE Reference:   CVE-2003-1544   (Links to External Site)
Updated:  Jun 15 2008
Original Entry Date:  Jan 24 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): Windows 2000 Terminal Server, Windows XP
Description:   A denial of service vulnerability was reported in the Windows Terminal Server in the Microsoft Graphical Identification and Authentication DLL (MSGINA.DLL). A remote authenticated user can cause the system to reboot.

It is reported that a remote authenticated user that can access a Windows Terminal Server via RDP or ICA and access the filesystem can cause the server to restart.

The remote authenticated user can place a read lock on the %SYSTEMROOT%\SYSTEM32\MSGINA.DLL file and then open a new connection to the server via RDP or ICA to trigger a warning dialog ("msgina.dll failed to load"). The warning dialog reportedly allows the remote authenticated user to click a "Restart" button to cause the server to reboot.

According to this report, Windows 2000 Terminal Server is affected. Another user has reported that Windows XP is also affected.

The vendor has reportedly been notified.

Impact:   A remote authenticated user with access to the filesystem can cause the server to reboot.
Solution:   No solution was available at the time of this entry.

The author of the report indicats that, as a workaround, you may be able to remove all permissions from MSGINA.DLL for "Power Users", "Users" and "Everyone".

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Configuration error, State error

Message History:   None.


 Source Message Contents

Subject:  DoS attack on Windows 2000 Terminal Server


This one's short and simple..

Description
-----------

Any user with sufficient permission to log on to a Windows 2000 Terminal
Server (via RDP or ICA) and access its filesystem can reboot the server
at will.


Exploit
-------

- Open %SYSTEMROOT%\SYSTEM32\MSGINA.DLL for exclusive access (read lock).
  I used Radsoft's HEXVIEW.EXE from Rix2K to do this.

- Open a new connection to the server via RDP/ICA

- Click the nice, helpful "Restart" button in the warning dialog that
  appears ("msgina.dll failed to load")

Tested on Windows 2000 Server (IE55, SP2) and Windows 2000 Server (IE55,
SP3). I do not have easy access to other platforms at the moment.


Workaround
----------

- Remove all permissions from MSGINA.DLL for "Power Users", "Users" and
  "Everyone"

Note: The above workaround has been tested on Windows 2000 Server (IE55,
SP2) and users were still able to log in as normal. I am not aware of a
need for MSGINA.DLL to be accessible by normal users, but if there are
any such circumstances Microsoft will need to produce an alternative fix.


Vendor status
-------------

Contacted on 16/01/2003. Replied to my email the next day requesting
additional time to investigate. No further replies since 17/01/2003.


Thanks
------

Thanks to PPH for the use of a Windows 2000 Server IE55,SP2 machine!

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC