Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
Summary
Name: Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
Release Date: 30 November 2012
Reference: NGS00288
Discoverer: Edward Torkington
Vendor: Microsoft
Vendor Reference:
Systems Affected: Windows XP SP3
Risk: Critical
Status: Published
TimeLine
Discovered: 2 April 2012
Released: 11 May 2012
Approved: 11 May 2012
Reported: 16 April 2012
Fixed: 14 August 2012
Published: 30 November 2012
Description
Terminal Services is one of the components of Microsoft Windows (both server and client versions) that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop Protocol (RDP). Terminal Services is Microsoft’s implementation of thin-client terminal server computing, where Windows applications, or even the entire desktop of the computer running Terminal Services, are made accessible to a remote client machine. Typically, the server is accessed with the Remote Desktop client and connections are made over TCP port 3389.
Vulnerability
The terminal services server component is vulnerable to a pre-authentication memory corruption vulnerability. Sending a number of crafted packets to the TCP port (typically 3389) of the server component can cause an exploitable condition.
Technical Details
The Bug Check analysis is shown below and Microsoft have confirmed that exploitation could result in arbitrary code execution.
kd> !analyze -v
*******************************************************************************
Bugcheck Analysis
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: e1d9c028, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: b8bd17fb, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
——————
WRITE_ADDRESS: e1d9c028
FAULTING_IP:
RDPWD!MCSIcaRawInput+4f5
b8bd17fb 83632000 and dword ptr [ebx+20h],0
MM_INTERNAL_CODE: 1
IMAGE_NAME: RDPWD.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4f0b04c1
MODULE_NAME: RDPWD
FAULTING_MODULE: b8bd1000 RDPWD
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: svchost.exe
TRAP_FRAME: b90e14a4 — (.trap 0xffffffffb90e14a4)
ErrCode = 00000002
eax=00000000 ebx=e1d9c008 ecx=0000b9fe edx=4de60000 esi=863a0765
edi=00000000
eip=b8bd17fb esp=b90e1518 ebp=b90e1530 iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
RDPWD!MCSIcaRawInput+0x4f5:
b8bd17fb 83632000 and dword ptr [ebx+20h],0
ds:0023:e1d9c028=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8051cc7f to 804f8cc5
STACK_TEXT:
b90e142c 8051cc7f 00000050 e1d9c028 00000001 nt!KeBugCheckEx+0x1b
b90e148c 805405d4 00000001 e1d9c028 00000000 nt!MmAccessFault+0x8e7
b90e148c b8bd17fb 00000001 e1d9c028 00000000 nt!KiTrap0E+0xcc
b90e1530 ba24d625 e1d55008 00000000 863a0765 RDPWD!MCSIcaRawInput+0x4f5
b90e1550 ba37a1e5 867cd3cc 00000000 863a057c termdd!IcaRawInput+0x53
b90e1d90 ba24c22f 863a0430 00000000 863a8020 TDTCP!TdInputThread+0x36f
b90e1dac 805c62c2 863aa008 00000000 00000000 termdd!_IcaDriverThread+0x51
b90e1ddc 80541e82 ba24c1de 8634d548 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
RDPWD!MCSIcaRawInput+4f5
b8bd17fb 83632000 and dword ptr [ebx+20h],0
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: RDPWD!MCSIcaRawInput+4f5
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: 0x50_RDPWD!MCSIcaRawInput+4f5
BUCKET_ID: 0x50_RDPWD!MCSIcaRawInput+4f5
Followup: MachineOwner
Fix Information
http://technet.microsoft.com/en-us/security/bulletin/ms12-053