CVE-2001-0540
published 2001-10-30CVE-2001-0540: Memory leak in Terminal servers in Windows NT and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of…
PriorityP425medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
71.25%
99.3th percentile
Memory leak in Terminal servers in Windows NT and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed Remote Desktop Protocol (RDP) requests to port 3389.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET REMOTE_ACCESS MS Terminal Server Root login"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=root|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012710; rev:2; metadata:created_at 2011_04_22, cve CVE_2001_0540, former_category INFO, confidence Medium, signature_severity Unknown, updated_at 2024_06_27;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET INFO MS Remote Desktop POS User Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:2; metadata:created_at 2011_04_22, cve CVE_2001_0540, confidence High, signature_severity Informational, updated_at 2024_03_06;)
bytes
|03 00 00| at depth 3, followed by |e0 00 00 00 00 00| at distance 2 within 6
- →Target TCP port 3389 (RDP/Terminal Services); alert on inbound connections from external networks carrying malformed or suspicious RDP TPKT/X.224 connection request headers
- →Detect RDP connection requests with the mstshash cookie value set to 'root', which is anomalous and indicative of automated/malicious tooling targeting Terminal Services
- →Detect RDP connection requests with the mstshash cookie value set to 'pos', associated with point-of-sale or automated login attempts against Terminal Services
- →RDP TPKT header starts with bytes 0x03 0x00 0x00; X.224 Connection Request PDU contains 0xe0 0x00 0x00 0x00 0x00 0x00 — match both in sequence to fingerprint RDP connection initiation
- →Apply detection only to established TCP flows directed to the server (to_server), reducing false positives from server-side RDP responses
- ·The two Snort/ET rules reference CVE-2001-0540 but are behaviorally oriented toward suspicious RDP username cookies (root, pos) rather than directly detecting the memory-exhaustion DoS condition itself; they serve as proximity indicators of malicious RDP activity
- ·The 'mstshash=root' rule carries only Medium confidence per metadata, meaning it may produce false positives in environments where 'root' is a legitimate RDP username
- ·The 'mstshash=pos' rule is classified as Informational severity; it may fire on legitimate point-of-sale terminal RDP sessions and should be tuned against known POS infrastructure
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET REMOTE_ACCESS MS Terminal Server Root login
suricata·2011-04-22
CVE-2001-0540 ET REMOTE_ACCESS MS Terminal Server Root login
ET REMOTE_ACCESS MS Terminal Server Root login
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET REMOTE_ACCESS MS Terminal Server Root login"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=root|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012710; rev:2; metadata:created_at 2011_04_22, cve CVE_2001_0540, former_category INFO, confidence Medium, signature_severity Unknown, updated_at 2024_06_27;)
Suricata
ET INFO MS Remote Desktop POS User Login Request
suricata·2011-04-22
CVE-2001-0540 ET INFO MS Remote Desktop POS User Login Request
ET INFO MS Remote Desktop POS User Login Request
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET INFO MS Remote Desktop POS User Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:2; metadata:created_at 2011_04_22, cve CVE_2001_0540, confidence High, signature_severity Informational, updated_at 2024_03_06;)
Suricata
ET REMOTE_ACCESS MS Remote Desktop Administrator Login Request
suricata·2011-04-22
ET REMOTE_ACCESS MS Remote Desktop Administrator Login Request
ET REMOTE_ACCESS MS Remote Desktop Administrator Login Request
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET REMOTE_ACCESS MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:6; metadata:created_at 2011_04_22, former_category INFO, confidence Medium, signature_severity Unknown, updated_at 2024_06_27;)
Suricata
ET INFO MS Remote Desktop Service User Login Request
suricata·2011-04-22
ET INFO MS Remote Desktop Service User Login Request
ET INFO MS Remote Desktop Service User Login Request
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET INFO MS Remote Desktop Service User Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=service|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012712; rev:2; metadata:created_at 2011_04_22, confidence High, signature_severity Informational, updated_at 2024_03_06;)
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/3099https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-040https://exchange.xforce.ibmcloud.com/vulnerabilities/6912http://www.securityfocus.com/bid/3099https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-040https://exchange.xforce.ibmcloud.com/vulnerabilities/6912
2001-10-30
Published