MSDTC message buffer overflow

msdtc-message-bo (22467) The risk level is classified as HighHigh Risk

Description:

The Microsoft Distributed Transaction Service Coordinator (MSDTC) could allow a remote attacker to execute arbitrary code on the system, caused by a buffer overflow in the MSDTC. On Windows 2000, a remote attacker could send a specially-crafted network message and execute arbitrary code on the system. On Windows XP SP1 and Windows Server 2003, a local attacker could run a program followed by a specially-crafted application to gain elevated privileges and execute arbitrary code on the system.

Note: On Windows XP SP1, the vulnerability can be exploited remotely if the MSDTC is started. On Windows Server 2003, if support for Network DTC Access has been enabled, the vulnerability can be exploited remotely.


Consequences:

Gain Access

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.

For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS05-051, which was superseded by the patch released with MS06-018.

For CallPilot:
Apply the fix as listed in Security Advisory P-2005-0056-Global, available from the Nortel Networks Web site. See References. A login account is required for access.

References:

  • Internet Security Systems Protection Alert October 11, 2005: Multiple Microsoft Vulnerabilities - October 2005.
  • Microsoft Security Bulletin MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400).
  • Microsoft Security Bulletin MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580).
  • Security Advisory P-2005-0056-Global: Nortel Networks: Log In Required.
  • BID-15056: Microsoft Windows MSDTC Memory Corruption Vulnerability
  • CVE-2005-2119: The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.
  • OSVDB ID: 18828: Microsoft Windows Distributed Transaction Coordinator (DTC) Memory Modification Remote Code Execution
  • SA17161: Microsoft Windows MSDTC and COM+ Vulnerabilities
  • SA17172: Avaya Various Products Multiple Vulnerabilities
  • SA17223: Nortel Centrex IP Client Manager Multiple Vulnerabilities
  • SA17509: Nortel CallPilot Multiple Vulnerabilities
  • SECTRACK ID: 1015037: Microsoft Windows Buffer Overflows in MSDTC and COM+ Let Remote Users Execute Arbitrary Code and Local User Gain Elevated Privileges
  • US-CERT VU#180868: Microsoft Distributed Transaction Coordinator vulnerable to buffer overflow via specially crafted network message

Platforms Affected:

  • Microsoft Windows 2000 SP4
  • Microsoft Windows 2003
  • Microsoft Windows 2003 Server Itanium
  • Microsoft Windows 2003 Server SP1 Itanium
  • Microsoft Windows XP SP1
  • Nortel CallPilot

Reported:

Oct 11, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page