CVE-2005-1794
CVSS6.4
发布时间 :2005-06-01 00:00:00
修订时间 :2011-07-18 21:27:37
NMCOS    

[原文]Microsoft Terminal Server using Remote Desktop Protocol (RDP) 5.2 stores an RSA private key in mstlsapi.dll and uses it to sign a certificate, which allows remote attackers to spoof public keys of legitimate servers and conduct man-in-the-middle attacks.


[CNNVD]Microsoft Windows远程桌面协议服务程序密钥泄露漏洞(CNNVD-200506-002)

        Microsoft Windows远程桌面协议(RDP)服务允许客户端访问MS的终端服务。
        Microsoft Windows远程桌面协议的实现在处理密钥的交换时存在漏洞,远程攻击者可能利用此漏洞窃取服务器的加密密钥。
        起因是尽管通过网络传输的信息已经过加密,但在建立会话的加密密钥时没有核实服务器的身份,导致攻击者可以获得密钥,计算出有效的签名,然后发动中间人攻击。成功利用这个漏洞的攻击者可以完全控制连接在服务器上的客户端。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:windows_terminal_services_using_rdp:5.2
cpe:/a:microsoft:remote_desktop_connection:5.1.2600.2180::windows_xp

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:12441Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1794
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1794
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-002
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/13818
(UNKNOWN)  BID  13818
http://www.oxid.it/downloads/rdp-gbu.pdf
(VENDOR_ADVISORY)  MISC  http://www.oxid.it/downloads/rdp-gbu.pdf
http://secunia.com/advisories/15605/
(UNKNOWN)  SECUNIA  15605

- 漏洞信息

Microsoft Windows远程桌面协议服务程序密钥泄露漏洞
中危 设计错误
2005-06-01 00:00:00 2005-10-20 00:00:00
远程  
        Microsoft Windows远程桌面协议(RDP)服务允许客户端访问MS的终端服务。
        Microsoft Windows远程桌面协议的实现在处理密钥的交换时存在漏洞,远程攻击者可能利用此漏洞窃取服务器的加密密钥。
        起因是尽管通过网络传输的信息已经过加密,但在建立会话的加密密钥时没有核实服务器的身份,导致攻击者可以获得密钥,计算出有效的签名,然后发动中间人攻击。成功利用这个漏洞的攻击者可以完全控制连接在服务器上的客户端。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/

- 漏洞信息

17131
Microsoft Windows Remote Desktop Protocol (RDP) Private Key Disclosure
Local Access Required, Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Microsoft Windows Remote Desktop Protocol contains a flaw that may lead to an unauthorized information disclosure. The issue is due to a private key used to sign the Terminal Server public key being hardcoded in a program library (mstlsapi.dll). This may allow an attacker to disclose the key and calculate a valid signature to carry out a man in the middle (MITM) attack.

- 时间线

2005-05-28 Unknow
2005-05-28 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure Vulnerability
Design Error 13818
Yes No
2005-05-30 12:00:00 2009-07-12 02:56:00
Discovery is credited to Massimiliano Montoro <mao@oxid.it>.

- 受影响的程序版本

Microsoft RDP 5.2
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Standard Edition
+ Microsoft Windows Server 2003 Web Edition
+ Microsoft Windows Server 2003 Web Edition
Microsoft RDP 5.1
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP Home SP1
+ Microsoft Windows XP Home SP1
+ Microsoft Windows XP Home
+ Microsoft Windows XP Home
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Microsoft RDP 5.0
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP3
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP3
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server SP1
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP3
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP2
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP3
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP2
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Terminal Services SP3
+ Microsoft Windows 2000 Terminal Services SP3
+ Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Terminal Services SP1
+ Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Terminal Services
Microsoft RDP 4.0
+ Microsoft Windows NT Terminal Server 4.0 SP6a
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP6
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP5
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP4
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP3
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP2
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0 SP1
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0

- 漏洞讨论

The vulnerability presents itself because a private key that is used to sign the Terminal Server public key is hardcoded in a DLL.

This can allow the attacker to disclose the key and calculate a valid signature to carry out man in the middle attacks.

An attacker could therefore cause the client to connect to a server under their control and send the client a public key to which they possess the private key.

- 漏洞利用

An exploit to leverage this issue is available as a part of Cain &amp; Abel version 2.7.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站