SecuriTeam - Microsoft Distributed Transaction Controller TIP DoS (MS05-051)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

The Distributed Transaction Controller provides a method for disparate processes to complete atomic transactions. The Transaction Internet Protocol (TIP) is one the ways that the DTC service can be accessed. This service is part of a standard installation on Windows NT 4.0, Windows 2000, Windows XP and Windows 2003.

Remote exploitation of a denial of service vulnerability within various versions of Microsoft Corp.'s Windows operating system allows attackers to cause the msdtc.exe process to crash.

Credit:
The information has been provided by iDEFENSE Labs Security Advisories.
The original article can be found at: http://www.idefense.com/application/poi/display?id=320&type=vulnerabilities

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Microsoft Windows 2000 SP4

The vulnerability specifically exists because of a flaw in processing responses from foreign servers. The DoS can be triggered by sending a command sequence that causes the DTC service to connect back to a hostile server. If the hostile server sends an unexpected protocol command during the reconnection request, the DTC service will throw an exception and exit. This attack can be used to kill the DTC service and prevent other applications from using the service to process transactions.

The following commands can be sent over TCP port 3372 to force the DTC service to connect to an arbitrary host and process commands:

  IDENTIFY 3 3 DST_IP:DST_PORT/ANYID -
  PUSH SOMESTRING
  PREPARE
  RECONNECT

Analysis:
Successful exploitation of this vulnerability will cause applications requiring the MSDTC service to fail. One such service is Microsoft SQL Server. Any other applications that rely on clustering to be functional will also fail. This service should not be exposed to public networks, thus mitigating the risk of this vulnerability.

Vendor response:
The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

CVE Information:
CAN-2005-1979

Disclosure Timeline:
03/23/2005 Initial vendor notification
03/23/2005 Initial vendor response
10/11/2005 Coordinated public disclosure

	SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability
	Dojo Toolkit SDK Multiple DOM-Based XSS Vulnerabilities
	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability