Microsoft Windows XP Remote Desktop malformed PDU Confirm Active packet denial of service

winxp-remote-desktop-dos (10120) The risk level is classified as MediumMedium Risk


Microsoft Windows XP Professional and Windows .NET Standard Server Beta 3 are vulnerable to a denial of service attack, caused by a vulnerability regarding the handling of certain malformed Remote Desktop Protocol packets. If a remote attacker sends a malformed Protocol Data Unit (PDU) Confirm Active packet to a vulnerable system when initiating a Remote Desktop session, the attacker could cause the system to reboot. The attacker would not be required to supply valid login credentials to exploit this vulnerability since the problem occurs when the login screen is being rendered.


Denial of Service


Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS02-051. See References.


  • BugTraq Mailing List, Mon Sep 16 2002 - 03:50:45 CDT : Microsoft Windows XP Remote Desktop denial of service vulnerability.
  • Microsoft Security Bulletin MS02-051: Cryptographic Flaw in RDP Protocol can Lead to Information Disclosure (Q324380).
  • BID-5713: Microsoft Windows XP Professional Remote Desktop Denial Of Service Vulnerability
  • CVE-2002-0864: The Remote Data Protocol (RDP) version 5.1 in Microsoft Windows XP allows remote attackers to cause a denial of service (crash) when Remote Desktop is enabled via a PDU Confirm Active data packet that does not set the Pattern BLT command, aka Denial of Service in Remote Desktop.
  • OSVDB ID: 13421: Microsoft Windows XP RDP Malformed PDU Confirm Active Packet DoS

Platforms Affected:

  • Microsoft .NET Windows Server beta3 Standard
  • Microsoft Windows XP


Sep 16, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page