elease Date:
May 9, 2006
Date Reported:
October 11, 2005
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Systems Affected:
Windows NT 4.0
Windows 2000 SP2 and SP3
Overview:
eEye Digital Security has discovered a second vulnerability in the Microsoft Distributed Transaction Coordinator that could allow an attacker to take complete control over a vulnerable system to which he has network or local access. The vulnerable MSDTC component is an RPC server which is network accessible by default on Windows NT 4.0 Server and Windows 2000 Server systems, over a dynamic high TCP port.
This vulnerability is separate from the "Microsoft Distributed Transaction Coordinator Memory Modification Vulnerability" issue we published in October 2005, most significantly in that this second vulnerability affects NT 4.0 whereas the previous one did not. The patch released with Microsoft Security Bulletin MS05-051 resolved both vulnerabilities, although this patch was not previously released for NT 4.0 or Windows 2000 SP2 or SP3. Windows 2000 SP4 and Windows XP systems without the MS05-051 hotfix installed are affected as well; Windows Server 2003 systems are immune.
Technical Details:
MSDTCPRX.DLL functions as an RPC server inside the MSDTC.EXE process, with a dynamic TCP port as its RPC endpoint and {906B0CE0-C70B-1067-B317-00DD010662DA} v1.0 as the sole interface it provides. The function CRpcIoManagerServer::BuildContext, as called from BuildContextW (opnum 7) on Windows 2000 and Windows XP, and BuildContext (opnum 1) on Windows NT 4.0, contains a heap overflow vulnerability due to a lack of input validation. Specifically, it attempts to overwrite its "pszGuidOut" argument, which corresponds to the fifth string argument passed into BuildContext / BuildContextW, with a null GUID string. Because the length of the destination string is not checked prior to the string copy, the heap block containing the RPC stub data can be overflowed, potentially corrupting the adjacent heap block.
The vulnerable copy operation is an intrinsic "strcpy(arg_10, pszNULL_GUID)" on NT 4.0, and a "wcscpy(arg_28, pwszNULL_GUID)" call on Windows 2000. Although the overwrite data itself is not controllable, the amount of spillover is, and therefore a carefully engineered overwrite is able to mutilate the adjacent heap block in an exploitable way.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability, but it is only available to customers who have entered into a custom support agreement with Microsoft. For more information, please visit: http://www.microsoft.com/ntserver/ProductInfo/Availability/faq.asp#8
Credit:
Derek Soeder
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
May 9, 2006
Date Reported:
October 11, 2005
Patch Development Time (In Days):
![]() | ![]() | ![]() | |
210 |
Severity:
High (Remote Code Execution)
Systems Affected:
Windows NT 4.0
Windows 2000 SP2 and SP3
Overview:
eEye Digital Security has discovered a second vulnerability in the Microsoft Distributed Transaction Coordinator that could allow an attacker to take complete control over a vulnerable system to which he has network or local access. The vulnerable MSDTC component is an RPC server which is network accessible by default on Windows NT 4.0 Server and Windows 2000 Server systems, over a dynamic high TCP port.
This vulnerability is separate from the "Microsoft Distributed Transaction Coordinator Memory Modification Vulnerability" issue we published in October 2005, most significantly in that this second vulnerability affects NT 4.0 whereas the previous one did not. The patch released with Microsoft Security Bulletin MS05-051 resolved both vulnerabilities, although this patch was not previously released for NT 4.0 or Windows 2000 SP2 or SP3. Windows 2000 SP4 and Windows XP systems without the MS05-051 hotfix installed are affected as well; Windows Server 2003 systems are immune.
Technical Details:
MSDTCPRX.DLL functions as an RPC server inside the MSDTC.EXE process, with a dynamic TCP port as its RPC endpoint and {906B0CE0-C70B-1067-B317-00DD010662DA} v1.0 as the sole interface it provides. The function CRpcIoManagerServer::BuildContext, as called from BuildContextW (opnum 7) on Windows 2000 and Windows XP, and BuildContext (opnum 1) on Windows NT 4.0, contains a heap overflow vulnerability due to a lack of input validation. Specifically, it attempts to overwrite its "pszGuidOut" argument, which corresponds to the fifth string argument passed into BuildContext / BuildContextW, with a null GUID string. Because the length of the destination string is not checked prior to the string copy, the heap block containing the RPC stub data can be overflowed, potentially corrupting the adjacent heap block.
The vulnerable copy operation is an intrinsic "strcpy(arg_10, pszNULL_GUID)" on NT 4.0, and a "wcscpy(arg_28, pwszNULL_GUID)" call on Windows 2000. Although the overwrite data itself is not controllable, the amount of spillover is, and therefore a carefully engineered overwrite is able to mutilate the adjacent heap block in an exploitable way.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability, but it is only available to customers who have entered into a custom support agreement with Microsoft. For more information, please visit: http://www.microsoft.com/ntserver/ProductInfo/Availability/faq.asp#8
Credit:
Derek Soeder
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial