Research Archives > Security Advisories > AD20060509b
Microsoft Distributed Transaction Coordinator Denial of Service
5/9/2006 12:00:00 AM
10/11/2005 12:00:00 AM
Windows NT 4.0
Windows 2000 SP4
Windows XP SP1/SP2
Windows Server 2003
In July 2005, eEye Digital Security notified Microsoft of a critical vulnerability in the Distributed Transaction Coordinator service included with Windows, a report which culminated in the release of the MS05-051 hotfix on October 11th. Following its release, we observed that the hotfix only mitigated the vulnerability, reducing its maximum potential to a denial-of-service attack against the MSDTC service but failing to treat the underlying flaw, and we again reported the finding to Microsoft.
In short, an anonymous attacker can slightly modify an existing MSDTC exploit and use it to crash the service, regardless of whether or not the MS05-051 hotfix is installed.
This vulnerability has been assigned CVE-2006-1184
The MSDTC RPC vulnerability publicly addressed by MS05-051 took advantage of an unusual memory manager implementation in the MIDL_user_allocate function of MSDTCPRX.DLL, which would accept any allocation size but would only allocate at most 4KB of memory. RPCRT4 would then attempt to store management data at (memory address + requested size), effectively allowing arbitrary memory to be modified, because any arbitrarily large allocation attempt would succeed while only reserving at most 4KB.
The MS05-051 hotfix added an upper limit to the allocation size, 0xFA8 on Windows Server 2003 and 0xFB0 on Windows 2000. This check is insufficient to prevent attempts to access memory beyond the allocated 4KB, and in fact, on Windows 2000, MSDTC in its default state may be made to crash with a single BuildContextW request where 'UuidString' or 'GuidIn' has a maximum character count of 0x7D0.
Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Microsoft has released a patch for this vulnerability, http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx.
The next one.
Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.