A vulnerability in Windows 2000 Server Terminal Services can permit a malicious user to force a reboot of the terminal server.
The discoverer posted the following scenario as proof of concept:
1. Open \%systemroot%\system32\msgina.dll for exclusive access (read lock). I used Radsoft's hexview.exe from Rix2K to do so.
2. Open a new connection to the server through RDP/ICA.
3. Click Restart in the warning dialog box ("msgina.dll failed to load") that appears.
Tested on Windows 2000 Server Service Pack 2 (SP2) with Microsoft Internet Exploror (IE) 5.5 and Windows 2000 Server SP3 with IE 5.5.
Microsoft hasn't released a fix or a response. The discoverer posted a workaround for Windows 2000 that suggests removing all permissions on msgina.dll for Power Users, Users, and Everyone.
Discovered by Jonathan Hunter.