HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-104
Microsoft Windows Remote Desktop Connection Remote Code Execution Vulnerabilities

Original Issue Date:August 13, 2009

Severity Rating:High

System Affected

  • Microsoft Windows 2000 SP4
  • Microsoft Windows XP SP3
  • Microsoft Windows XP SP2
  • Microsoft Windows XP Professional x64 Edition SP2
  • Microsoft Windows Server 2003 SP2
  • Microsoft Windows Server 2003 for Itanium-based Systems with SP2
  • Microsoft Windows Vista SP
  • Microsoft Windows Vista SP1
  • Microsoft Windows Vista SP2
  • Microsoft Windows Vista x64 Edition
  • Microsoft Windows Server 2008 for 32-bit Systems SP2
  • Microsoft Windows Server 2008 for x64-based Systems SP2
  • Microsoft Windows Server 2008 for Itanium-based Systems
  • Macintosh OS X Systems using Microsoft Remote Desktop Connection Client for Mac version 2

Affected Component

  • RDP Versions 6.1, 6.0, 5.2, 5.1,5.0

Overview

Two remote code execution vulnerabilities have been in reported Microsoft Remote Desktop connection. An attacker can exploit these vulnerabilities by persuading a user of terminal services to connect to a malicious RDP (Remote Desktop Protocol) server or trick the user to visit a specially crafted website to exploit these vulnerabilities by getting them to click a link of an e-mail message or Instant Messenger message. Successful exploitation of this vulnerability results in remote execution of arbitrary code in the context of the logged-in-user.

If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Description

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server.

1. Remote Desktop Connection Heap Overflow Vulnerability     (CVE-2009-1133)

The vulnerability exists because Remote Desktop Connection on affected systems does not properly handle memory when receiving parameters from a malicious RDP server.  An attacker can use a malicious RDP server to send malformed responses to Remote Desktop Connection that will result in heap memory corruption. 

Workaround

Restrict access to Terminal Service ActiveX control ‘mstscax.dll'

2. Remote Desktop Connection ActiveX Control Heap Overflow     Vulnerability (CVE-2009-1929)

The vulnerability exists because the Remote Desktop Connection ActiveX control on affected systems does not properly handle memory when it receives parameters from a malicious website.

Workarounds

  • Prevent the Remote Desktop Connection ActiveX control from running in Internet Explorer.
  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones

    For detailed steps and impact of applying these workarounds refer to Microsoft Security bulletin MS09-044

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-044

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-044.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-044.mspx
http://support.microsoft.com/kb/240797

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=18767
http://tools.cisco.com/security/center/viewAlert.x?alertId=18768

ISS XFORCE
http://xforce.iss.net/xforce/xfdb/52116

CVE Name
CVE-2009-1333
CVE-2009-1929

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003