Microsoft Terminal Services / Remote Desktop Services Use-After-Free Vulnerability

vendor:

Terminal Services / Remote Desktop Services

by:

Luigi Auriemma

9,3

CVSS

HIGH

Use-After-Free

416

CWE

Product Name: Terminal Services / Remote Desktop Services

Affected Version From: any Windows version before 13 Mar 2012

Affected Version To: any Windows version before 13 Mar 2012

Patch Exists: YES

Related CWE: CVE-2012-0002

CPE: o:microsoft:windows

Metasploit: https://www.rapid7.com/db/vulnerabilities/moodle-cve-2012-6098/, https://www.rapid7.com/db/vulnerabilities/moodle-cve-2012-0792/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2012

Microsoft Terminal Services / Remote Desktop Services Use-After-Free Vulnerability

The Remote Desktop Protocol is used by the 'Terminal Services / Remote Desktop Services' and works at kernel level on port 3389. There is an use-after-free vulnerability located in the handling of the maxChannelIds field of the T.125 ConnectMCSPDU packet (offset 0x2c of the provided proof-of-concept) when set to a value minor/equal than 5. The problem happens during the disconnection of the user started with RDPWD!NM_Disconnect while the effect of the possible code execution is visible in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on Windows 7/2008) after termdd!IcaGetPreviousSdLink returns an invalid memory pointer, t.i. a pointer to a freed memory area.

Mitigation:

Microsoft released a patch to address this vulnerability.

Source

Microsoft Terminal Services / Remote Desktop Services Use-After-Free Vulnerability

Mitigation:

Exploit-DB raw data: