VERSIONS AFFECTED

  • Microsoft Windows 2000 Server Terminal Services
  • DESCRIPTION

    A vulnerability in Windows 2000 Server Terminal Services can permit a malicious user to force a reboot of the terminal server.

    DEMONSTRATION

    The discoverer posted the following scenario as proof of concept:

    Exploit
    -------

    1. Open \%systemroot%\system32\msgina.dll for exclusive access (read lock). I used Radsoft's hexview.exe from Rix2K to do so.

    2. Open a new connection to the server through RDP/ICA.

    3. Click Restart in the warning dialog box ("msgina.dll failed to load") that appears.

    Tested on Windows 2000 Server Service Pack 2 (SP2) with Microsoft Internet Exploror (IE) 5.5 and Windows 2000 Server SP3 with IE 5.5.

    VENDOR RESPONSE

    Microsoft hasn't released a fix or a response. The discoverer posted a workaround for Windows 2000 that suggests removing all permissions on msgina.dll for Power Users, Users, and Everyone.

    CREDIT

    Discovered by Jonathan Hunter.