cbcvebase.
CVE-2012-0002
published 2012-03-13

CVE-2012-0002: The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2…

PriorityP278critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
73.92%
99.4th percentile
The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

port3389
urlhttp://aluigi.org/poc/termdd_1.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18606.dat
commandnc SERVER 3389 < termdd_1.dat
  • Monitor for crafted T.125 ConnectMCSPDU packets where the maxChannelIds field (at offset 0x2c) is set to a value less than or equal to 5, targeting RDP port 3389.
  • Detect use-after-free exploitation attempts in termdd.sys: watch for invalid memory pointer returns from termdd!IcaGetPreviousSdLink leading to access violations in termdd!IcaBufferAlloc.
  • The Metasploit auxiliary scanner module ms12_020_check.rb can be used to non-destructively check hosts for MS12-020 / CVE-2012-0002 exposure.
  • The Metasploit DoS module ms12_020_maxchannelids.rb triggers the vulnerability via the maxChannelIDs field in the T.125 ConnectMCSPDU packet, resulting in an invalid pointer dereference.
  • ·On post-Vista Windows versions (Windows 7 and Server 2008), the vulnerability may require 'Allow connections from computers running any version of Remote Desktop' to be enabled, though this may be a limitation of the specific proof-of-concept rather than the vulnerability itself.
  • ·The proof-of-concept uses BER integer values set at 32-bit big endian and may need to be resent multiple times to trigger the condition; it is not optimized.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.