Microsoft's Remote Data Protocol contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when non-encrypted data checksums are sent, which may allow cryptographic recovery of the session data information, resulting in a loss of confidentiality.
Classification
Location:
Remote/Network Access Required
Attack Type:
Cryptographic,
Information Disclosure
Impact:
Loss of Confidentiality
Exploit:
Exploit Rumored / Private
Disclosure:
OSVDB Verified
Technical
All RDP implementations allow the data in an RDP session to be encrypted. However, in the versions in Windows 2000 and Windows XP, the checksums of the plaintext session data are sent without being encrypted themselves. An attacker who was able to eavesdrop on and record an RDP session could conduct a straightforward cryptanalytic attack against the checksums and recover the session traffic. The RDP implementation in Windows XP handles data packets that are malformed in a particular way. Upon receiving such packets, the Remote Desktop service would fail, and with it would fail the operating system. It would not be necessary for an attacker to authenticate to an affected system in order to deliver packets of this type to an affected system.
Solution
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability in Microsoft Security Bulletin MS02-051.
skygate.co.uk - Skygate Technology, Ltd.