MS02-046: Buffer overrun in TSAC ActiveX control might allow code execution (327521)


The information in this article applies to:

  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows XP Professional
  • Microsoft Windows XP 64-Bit Edition
  • Microsoft Small Business Server 2000
This article was previously published under Q327521

SYMPTOMS

The Terminal Services Advanced Client (TSAC) Web control is an ActiveX control you can use to run Terminal Services sessions in Internet Explorer. The downloadable ActiveX control provides almost the same functionality as the full Terminal Services Client, but is designed to deliver this functionality over the Web.

The TSAC control does not come installed as part of any Windows client. Instead, clients obtain the control from Web servers that offer terminal services. The configuration process that makes it possible for an Internet Information Services (IIS) server to provide terminal services involves installing a .cab file that contains the control on the server. The server then delivers the .cab file to any client computer that needs it, and the client installs the control from the .cab file.

A security vulnerability results because the control contains an unchecked buffer in the code that processes one of the input parameters. By calling the control on a client and overrunning the buffer, an attacker can gain the ability to run code in the security context of the currently-logged-on user. This makes it possible for the attacker to control the user's computer. The attacker can mount an attack by either hosting a Web page that exploits the vulnerability against any user who visits it, or by sending an HTML e-mail message to another user.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

Download Information

For administrators of Web sites that provide terminal services to obtain the updated TSAC ActiveX control, visit the following Microsoft Web site:

Downloadhttp://www.microsoft.com/windowsxp/downloads/tools/rdwebconn.mspx

Users must install the August 22, 2002 cumulative patch for Internet Explorer. For additional information about how to do so, click the article number below to view the article in the Microsoft Knowledge Base:

323759 MS02-047: August 22, 2002, Cumulative Patch for Internet Explorer

Release Date: August 22, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

This patch replaces the functionality of the previous Connect.asp file with a new Microsoft Dynamic HTML-based (DHTML-based) Default.htm file, but the patch does not remove the previous Connect.asp file. Administrators who have modified this page can port the modifications to the new Default.htm page and then delete the Connect.asp and Mstsax.cab files.

You do not have to restart your server after you apply the updated TSAC ActiveX control.

Users who are members of the "Regular Users" group cannot install ActiveX controls. The administrator must repeat the method that was used previously to install the ActiveX control on the user's computer. For additional information about how to do so, click the article numbers below to view the articles in the Microsoft Knowledge Base:

241163 How to Publish ActiveX Controls in Windows 2000 Using IntelliMirror

280579 HOWTO: Install ActiveX Controls in Internet Explorer Using the Active Directory

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version     Size     File name
   -----------------------------------------------------
   16-Apr-2002  18:32                2,022  Bluebarh.gif
   16-Apr-2002  18:32                2,085  Bluebarv.gif
   10-Aug-2002  07:23               21,723  Default.htm
   10-Aug-2002  13:31              310,400  Msrdp.cab
   01-Jul-2002  21:38               11,595  Readme.htm
   16-Apr-2002  18:32                9,644  Win2000l.gif
   16-Apr-2002  18:32                1,958  Win2000r.gif
The English version of the Msrcp.cab file has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version        Size     File name
   -----------------------------------------------------
   10-Aug-2002  07:23                   1,561  Msrdp.inf
   10-Aug-2002  04:16  5.1.2600.1095  600,064  Msrdp.ocx

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Terminal Services Advanced Client (TSAC) web control. This problem was first corrected in Windows XP Service Pack 1.

MORE INFORMATION

After you install this update, permissions for the HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing and HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\HardwareID keys are modified so that the Users group has read-only access. This change may cause connection problems with older RDP or Citrix clients. To resolve this problem, install an updated client or give the Users group Set Value and Create Subkey permissions on the HardwareID key by using Registry Editor (Regedt32.exe).

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-046.mspx

To prevent potential exploits in older versions of the Terminal Services Web client, Internet Explorer now blocks these OCX controls:
  • Terminal Services Advanced Client (TSAC) 1.0 ActiveX control - Globally Unique Identifier (GUID): {1fb464c8-09bb-4017-a2f5-eb742f04392f}
  • Windows XP version of the TSAC - GUID: {791fa017-2de3-492e-acc5-53c67a2b94d0}
  • Windows .NET BETA versions of the TSAC - GUID: {931a8c29-3ea9-494d-91e7-22e9a9247687}
Administrators of the Terminal server and Web developers may also have to modify existing Active Server Pages (ASP) code to load the updated control. To do so, open the ASP files in a text editor such as Notepad and change any Object tags that refer to the Terminal Services ActiveX control so that the Clsid and Codebase attributes reference the following new values:
  • CLASSID="CLSID:9059f30f-4eb1-4bd2-9fdc-36f43a218f4a"

  • CODEBASE="msrdp.cab#version=5,1,2600,1095"
NOTE: The updated Terminal Services ActiveX control package automatically replaces the Clsid and Codebase attributes in the default Web page and changes the ID attribute to MsRdpClient. If you use custom code to script the Terminal Services ActiveX control, make sure that your code uses the same ID attribute in the OBJECT tag that you reference elsewhere in your custom code.
Modification Type:MajorLast Reviewed:3/16/2005
Keywords:kbbug kbenv kbfix KbSECBulletin kbSecurity KbSECVulnerability kbWin2000preSP4Fix kbWinXPsp1fix KB327521
©2004 Microsoft Corporation. All rights reserved.