Microsoft Windows XP/Vista/7/Server 2003/2008 Remote Desktop Service buffer overflow

VulDB: Microsoft Windows XP/Vista/7/Server 2003/2008 Remote Desktop Service buffer overflow

General

Microsoft

scipID: 4798
Affected: Microsoft Windows XP/Vista/7/Server 2003/2008
Published: 03/13/2012 (Luigi Auriemma)
Risk: very critical
Entry: 100% complete
Created: 03/14/2012
Updated: 09/03/2012

Summary

A vulnerability has been found in Microsoft Windows XP/Vista/7/Server 2003/2008 and classified as very critical. This vulnerability affects an unknown function of the component Remote Desktop Service. The manipulation with an unknown input leads to a buffer overflow vulnerability. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was presented 03/13/2012 by Luigi Auriemma as MS12-020 as article (Microsoft Technet) via ZDI (Zero Day Initiative). The advisory is shared for download at technet.microsoft.com. The public release was coordinated in cooperation with the vendor. This vulnerability was named CVE-2012-0002 since 11/09/2011. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are unknown but a public exploit is available. This vulnerability has a historic impact due to its background and reception.

An exploit has been developed by Luigi Auriemma and been published 3 days after the advisory. It is declared as proof-of-concept. The exploit is shared for download at aluigi.org. The vulnerability was handled as a non-public zero-day exploit for at least 202 days. The vulnerability scanner Nessus provides a plugin with the ID 58332 (MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins, running in the context local and relying on port 139.

Applying the patch MS12-020 is able to eliminate this problem. The bugfix is ready for download at technet.microsoft.com. It is possible to mitigate the weakness by firewalling tcp/3389 (rdp). The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability is also documented in the databases at OSVDB (80000), Secunia (SA48395), SecurityFocus (BID 52353) and SecurityTracker (ID 1026790). Additional details are provided at arstechnica.com.

Screenshot

Microsoft Windows XP/Vista/7/Server 2003/2008 Remote Desktop Service buffer overflow

CVSS

Base Score: 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) [?]

Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability
Local	High	Multiple	None	None	None
Adjacent	Medium	Single	Partial	Partial	Partial
Network	Low	None	Complete	Complete	Complete

Exploiting

Class: Buffer overflow
Local: No
Remote: Yes

Availability: Yes
Access: Public
Status: Proof-of-Concept
Reliability: 50%
Author: Luigi Auriemma
Download: aluigi.org

Nessus ID: 58332
Nessus Name: MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
Nessus Family: Windows : Microsoft Bulletins
Nessus Context: local
Nessus Port: 139

Exploit-DB: 18606

Countermeasures

Recommended: Patch
Reliability: 99%
Reaction Time: 202 days since reported
0-Day Time: 202 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 3 days since known

Patch: MS12-020
Firewalling: tcp/3389 (rdp)