<<< Date Index >>>     <<< Thread Index >>>

[EEYEB20051011B] - Microsoft Distributed Transaction Coordinator Denial of Service



Microsoft Distributed Transaction Coordinator Denial of Service
http://www.eeye.com/html/research/advisories/AD20060509b.html

Release Date:
May 9, 2006

Date Reported:
October 11, 2005

Patch Development Time (In Days):
210   

Severity:
Low (Denial of Service)

Systems Affected:
Windows NT 4.0
Windows 2000 SP4
Windows XP SP1/SP2
Windows Server 2003

References:
This vulnerability has been assigned CVE-2006-1184

Overview:
In July 2005, eEye Digital Security notified Microsoft of a critical
vulnerability in the Distributed Transaction Coordinator service
included with Windows, a report which culminated in the release of the
MS05-051 hotfix on October 11th. Following its release, we observed that
the hotfix only mitigated the vulnerability, reducing its maximum
potential to a denial-of-service attack against the MSDTC service but
failing to treat the underlying flaw, and we again reported the finding
to Microsoft.

In short, an anonymous attacker can slightly modify an existing MSDTC
exploit and use it to crash the service, regardless of whether or not
the MS05-051 hotfix is installed.

Technical Details:
The MSDTC RPC vulnerability publicly addressed by MS05-051 took
advantage of an unusual memory manager implementation in the
MIDL_user_allocate function of MSDTCPRX.DLL, which would accept any
allocation size but would only allocate at most 4KB of memory. RPCRT4
would then attempt to store management data at (memory address +
requested size), effectively allowing arbitrary memory to be modified,
because any arbitrarily large allocation attempt would succeed while
only reserving at most 4KB.

The MS05-051 hotfix added an upper limit to the allocation size, 0xFA8
on Windows Server 2003 and 0xFB0 on Windows 2000. This check is
insufficient to prevent attempts to access memory beyond the allocated
4KB, and in fact, on Windows 2000, MSDTC in its default state may be
made to crash with a single BuildContextW request where 'UuidString' or
'GuidIn' has a maximum character count of 0x7D0.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively
protects from this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability,
http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx.

Credit:
Derek Soeder

Greetings:
The next one.

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@xxxxxxxx for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.