Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5949.htm

Windows 2000 Terminal Server DoS attack



24th Jan 2003 [SBWID-5949]
COMMAND

	Windows 2000 Terminal Server DoS attack

SYSTEMS AFFECTED

	Windows 2000 Terminal Server

PROBLEM

	Jonathan Hunter says :
	
	Any user with  sufficient  permission  to  log  on  to  a  Windows  2000
	Terminal Server (via RDP or ICA) and access its  filesystem  can  reboot
	the server at will.
	
	 Exploit
	 -------
	
	- Open %SYSTEMROOT%\SYSTEM32\MSGINA.DLL for exclusive access (read lock).
	  I used Radsoft's HEXVIEW.EXE from Rix2K to do this.
	
	- Open a new connection to the server via RDP/ICA
	
	- Click the nice, helpful "Restart" button in the warning dialog that
	  appears ("msgina.dll failed to load")
	
	Tested on Windows 2000  Server  (IE55,  SP2)  and  Windows  2000  Server
	(IE55, SP3).

SOLUTION

	no patch yet.
	
	 Workaround
	 ----------
	
	- Remove all permissions from MSGINA.DLL for "Power Users", "Users" and
	  "Everyone"
	
	Note: The above workaround  has  been  tested  on  Windows  2000  Server
	(IE55, SP2) and users were still able to log in  as  normal.  I  am  not
	aware of a need for MSGINA.DLL to be accessible by normal users, but  if
	there are any such circumstances  Microsoft  will  need  to  produce  an
	alternative fix.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH