CERT-MU Vulnerability Note VN-2009-21

Microsoft Windows Remote Desktop Connection Remote Code Execution Vulnerabilities

Original Issue Date: August 13, 2009

Severity Rating: High

Affected Softwares

• Microsoft Windows 2000 SP4
• Microsoft Windows XP SP3
• Microsoft Windows XP SP2
• Microsoft Windows XP Professional x64 Edition SP2
• Microsoft Windows Server 2003 SP2
• Microsoft Windows Server 2003 for Itanium-based Systems with SP2
• Microsoft Windows Vista SP
• Microsoft Windows Vista SP1
• Microsoft Windows Vista SP2
• Microsoft Windows Vista x64 Edition
• Microsoft Windows Server 2008 for 32-bit Systems SP2
• Microsoft Windows Server 2008 for x64-based Systems SP2
• Microsoft Windows Server 2008 for Itanium-based Systems
• Macintosh OS X Systems using Microsoft Remote Desktop Connection Client for Mac version 2

Affected Component

• RDP Versions 6.1, 6.0, 5.2, 5.1,5.0

Overview

Two remote code execution vulnerabilities have been in reported Microsoft Remote Desktop connection. An attacker can exploit these vulnerabilities by persuading a user of terminal services to connect to a malicious RDP (Remote Desktop Protocol) server or trick the user to visit a specially crafted website to exploit these vulnerabilities by getting them to click a link of an e-mail message or Instant Messenger message. Successful exploitation of this vulnerability results in remote execution of arbitrary code in the context of the logged-in-user.

If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Description

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server.

• Remote Desktop Connection Heap Overflow Vulnerability (CVE-2009-1133)
  
  The vulnerability exists because Remote Desktop Connection on affected systems does not properly handle memory when receiving parameters from a malicious RDP server. An attacker can use a malicious RDP server to send malformed responses to Remote Desktop Connection that will result in heap memory corruption.
  
  Workaround
  
  Restrict access to Terminal Service ActiveX control ‘mstscax.dll'
  
  
• Remote Desktop Connection ActiveX Control Heap Overflow Vulnerability
  
  The vulnerability exists because the Remote Desktop Connection ActiveX control on affected systems does not properly handle memory when it receives parameters from a malicious website.
  

  Workarounds

  • Prevent the Remote Desktop Connection ActiveX control from running in Internet Explorer.
  • Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
  • For detailed steps and impact of applying these workarounds refer to Microsoft Security bulletin MS09-044

  Solution

  Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-044

  CVE Name

  CVE-2009-1333
  CVE-2009-1929
  

  Disclaimer

  The information provided herein is on "as is" basis, without warranty of any kind.

  Vendor Information

  Microsoft
  http://www.microsoft.com/technet/security/Bulletin/MS09-044.mspx

  References

  Microsoft
  http://www.microsoft.com/technet/security/Bulletin/MS09-044.mspx
  http://support.microsoft.com/kb/240797
  
  CISCO
  http://tools.cisco.com/security/center/viewAlert.x?alertId=18767
  http://tools.cisco.com/security/center/viewAlert.x?alertId=18768
  
  ISS XFORCE
  http://xforce.iss.net/xforce/xfdb/52116