Skip to navigation Skip to main content Skip to footer

Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3

Summary

Name: Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
Release Date: 30 November 2012
Reference: NGS00288
Discoverer: Edward Torkington 
Vendor: Microsoft
Vendor Reference:
Systems Affected: Windows XP SP3
Risk: Critical
Status: Published

TimeLine

Discovered:  2 April 2012
Released: 11 May 2012
Approved: 11 May 2012
Reported: 16 April 2012
Fixed: 14 August 2012
Published: 30 November 2012

Description

Terminal Services is one of the components of Microsoft Windows (both server and client versions) that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop Protocol (RDP). Terminal Services is Microsoft’s implementation of thin-client terminal server computing, where Windows applications, or even the entire desktop of the computer running Terminal Services, are made accessible to a remote client machine. Typically, the server is accessed with the Remote Desktop client and connections are made over TCP port 3389.

Vulnerability

The terminal services server component is vulnerable to a pre-authentication memory corruption vulnerability. Sending a number of crafted packets to the TCP port (typically 3389) of the server component can cause an exploitable condition.

Technical Details

The Bug Check analysis is shown below and Microsoft have confirmed that exploitation could result in arbitrary code execution.

kd> !analyze -v
*******************************************************************************
                                                                         

                        Bugcheck Analysis                                

                                                                         

*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except, it must be protected by a Probe.  Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: e1d9c028, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: b8bd17fb, If non-zero, the instruction address which referenced the
bad memory
 address.
Arg4: 00000001, (reserved)

Debugging Details:
——————

WRITE_ADDRESS:  e1d9c028

FAULTING_IP:
RDPWD!MCSIcaRawInput+4f5
b8bd17fb 83632000        and     dword ptr [ebx+20h],0

MM_INTERNAL_CODE:  1

IMAGE_NAME:  RDPWD.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4f0b04c1

MODULE_NAME: RDPWD

FAULTING_MODULE: b8bd1000 RDPWD

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  svchost.exe

TRAP_FRAME:  b90e14a4 — (.trap 0xffffffffb90e14a4)
ErrCode = 00000002
eax=00000000 ebx=e1d9c008 ecx=0000b9fe edx=4de60000 esi=863a0765
edi=00000000
eip=b8bd17fb esp=b90e1518 ebp=b90e1530 iopl=0         nv up ei pl zr na pe
nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000           
efl=00010246
RDPWD!MCSIcaRawInput+0x4f5:
b8bd17fb 83632000        and     dword ptr [ebx+20h],0
ds:0023:e1d9c028=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8051cc7f to 804f8cc5

STACK_TEXT: 
b90e142c 8051cc7f 00000050 e1d9c028 00000001 nt!KeBugCheckEx+0x1b
b90e148c 805405d4 00000001 e1d9c028 00000000 nt!MmAccessFault+0x8e7
b90e148c b8bd17fb 00000001 e1d9c028 00000000 nt!KiTrap0E+0xcc
b90e1530 ba24d625 e1d55008 00000000 863a0765 RDPWD!MCSIcaRawInput+0x4f5
b90e1550 ba37a1e5 867cd3cc 00000000 863a057c termdd!IcaRawInput+0x53
b90e1d90 ba24c22f 863a0430 00000000 863a8020 TDTCP!TdInputThread+0x36f
b90e1dac 805c62c2 863aa008 00000000 00000000 termdd!_IcaDriverThread+0x51
b90e1ddc 80541e82 ba24c1de 8634d548 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND:  kb

FOLLOWUP_IP:
RDPWD!MCSIcaRawInput+4f5
b8bd17fb 83632000        and     dword ptr [ebx+20h],0

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  RDPWD!MCSIcaRawInput+4f5

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0x50_RDPWD!MCSIcaRawInput+4f5

BUCKET_ID:  0x50_RDPWD!MCSIcaRawInput+4f5

Followup: MachineOwner

Fix Information

http://technet.microsoft.com/en-us/security/bulletin/ms12-053