Vulnerability: Microsoft Terminal Server Client Buffer Overrun
Results 1 to 4 of 4

Thread: Vulnerability: Microsoft Terminal Server Client Buffer Overrun

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001

    Exclamation Vulnerability: Microsoft Terminal Server Client Buffer Overrun

    Microsoft Terminal Server ActiveX client is the ActiveX version of the standard Windows Terminal Services client. It allows a client to connect to a a Terminal Server from a web page. This allows a web developer to integrate a Win32-based application into a web page.

    There is a buffer overrun vulnerability in one of the parameters used by the ActiveX component when it is embedded in a web page. An attacker could exploit this vulnerability to run malicious code on a target system. The user would need to open a malicious HTML file as
    an attachment to an email message, as a file on the local or network file system, or as a link on a malicious web site. If the malicious HTML file is opened it will cause the Active X component to execute the arbitrary computer code contained within the HTML page with the
    permissions of the attacker.

    Since the Microsoft Terminal Server ActiveX client is signed by Microsoft and marked safe there is no warning with the default Internet Explorer security settings if you have previously selected to trust all controls signed by Microsoft. This is a good example of why not to trust any ActiveX components from an unknown source. A malicious site could use an old vulnerable version of the ActiveX control even after the patched ActiveX component is available from Microsoft. If users install the latest vendor cumlative patch for Internet Explorer
    this problem is eliminated.


    By default the Terminal Server ActiveX client will install itself in a directory such as 'http://site/tsweb/'. The buffer overrun condition occurs when a large string is used for the server name field. We were able to cause an exception to occur with a long string made up of the letter 'A'. The result was the over writing of EIP with 0x41414141.
    ESI will point the buffer of supplied data.

    The ID of the component tested was: 1FB464C8-09BB-4017-A2F5-EB742F04392F

    Vendor Response:

    Vendor has bulletin and patch for Terminal Server.

    Vendor has bulletin and patch for Internet Explorer


    You should never open attachments/webpages that come from unknown sources no matter how benign they may appear. Be wary of those that come from known sources.

    You should consider the benefits and risks of each attachment file type or ActiveX control that you let into your organization. Attachment file types or ActiveX controls that you do not need should be dropped at your perimeter mail gateway or proxy server. Attachments that you
    choose to forward on into your organization should be scanned for known malicious code using a antivirus product.

    End users should install the latest Internet Explorer cumulative patch which sets the Kill Bit on the vulnerable version of the ActiveX component so it will not execute.

    Terminal Server administrators should install the vendor patch to update the ActiveX component they have available for download. Until this patch is installed users who have installed the Internet Explorer cumulative patch will not be able to access the Terminal
    Server via the ActiveX component.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (, which standardizes names for security problems.

    CAN-2002-0726 Terminal Server ActiveX Client Buffer Overrun

    @stake Vulnerability Reporting Policy:

    @stake Advisory Archive:

    PGP Key:

    Copyright 2002 @stake, Inc. All rights reserved.

    Version: PGP 7.0.3

    -----END PGP SIGNATURE-----

  2. #2
    Senior Member
    Join Date
    Oct 2001
    So nobodies going to slam someone with high APs for copying something without giving source? If this were a newbie they'd get reemed for not just posting the link. How about some consistency on what people say/do???

  3. #3
    Join Date
    Jul 2002
    Buffer overflow, buffer overflow, buffer overflow....

    Don't the m$ engineers (I use the term VERY loosely) know the meaning of the word validation?!?!? (Obviously not...)


    It's so pathetic anymore.....

  4. #4
    Senior Member
    Join Date
    Jan 2002

    Re: Vulnerability: Microsoft Terminal Server Client Buffer Overrun

    If users install the latest vendor cumlative patch for Internet Explorer

    Allready done! Good post sOnic
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts