MSDTC message buffer overflow (MSRPC_MSDTC_Message_GUID_BO)
About this signature or vulnerability
Proventia G-Series, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network Sensor, BlackICE PC Protection, BlackICE Agent for Server, BlackICE Server Protection, Proventia Server for Windows, Proventia M-Series:
This signature looks for a specially-crafted MSRPC MSDTC Request that is used to conduct a buffer overflow.
Default risk level
High
Sensors that have this signature
Proventia G-Series: XPU 24.38, Proventia Desktop: 8.0.812.1770, Proventia Network IPS: XPU 1.77, RealSecure Server Sensor: XPU 24.38, RealSecure Network Sensor: XPU 24.38, BlackICE PC Protection: 3.6cpi, BlackICE Agent for Server: 3.6epi, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770, Proventia M-Series: XPU 1.77
Systems affected
Windows 2000: SP4, Windows XP: SP1, Windows Server: 2003, Windows Server 2003: SP1 Itanium, CallPilot: Any Version, Windows Server 2003: Itanium
Type
Unauthorized Access Attempt
Vulnerability description
The Microsoft Distributed Transaction Service Coordinator (MSDTC) could allow a remote attacker to execute arbitrary code on the system, caused by a buffer overflow in the MSDTC. On Windows 2000, a remote attacker could send a specially-crafted network message and execute arbitrary code on the system. On Windows XP SP1 and Windows Server 2003, a local attacker could run a program followed by a specially-crafted application to gain elevated privileges and execute arbitrary code on the system.
Note: On Windows XP SP1, the vulnerability can be exploited remotely if the MSDTC is started. On Windows Server 2003, if support for Network DTC Access has been enabled, the vulnerability can be exploited remotely.
How to remove this vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.
For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS05-051, which was superceded by the patch released with MS06-018.
For CallPilot:
Apply the fix as listed in Security Advisory P-2005-0056-Global, available from the Nortel Networks Web site. See References. A login account is required for access.
References
Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
http://www.microsoft.com/technet/security/bulletin/ms05-051.mspx
Internet Security Systems Protection Alert October 11, 2005
Multiple Microsoft Vulnerabilities ・October 2005
http://xforce.iss.net/xforce/alerts/id/206
Security Advisory P-2005-0056-Global
Nortel Networks: Log In Required
http://www.nortel.com/
Microsoft Security Bulletin MS06-018
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx
ISS X-Force
MSDTC message buffer overflow
http://www.iss.net/security_center/static/22467.php
CVE
CVE-2005-2119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2119
■検知
| Date/Time | 2006-06-18 09:07:52 JST |
| Tag Name | MSRPC_MSDTC_Message_GUID_BO |
| Alert Name | MSRPC_MSDTC_Message_GUID_BO |
| Severity | High |
| Observance Type | Intrusion Detection |
| Combined Event Count | 16 |
| Cleared Flag | false |
| Target IP Address | 192.168.37.180 |
| Target Object Name | 1025 |
| Target Object Type | Target Port |
| Source IP Address | 219.147.22.100 |
| Sensor IP Address | 10.4.6.100 |
| Sensor Name | network_sensor_1 |
| :end-time | 2006-06-18T09:07:32+09:00 |
| :intruder-ip-addr | 219.147.22.100 |
| :len | 16 |
| :Opnum | 0x7 |
| :repeat-count | 16 |
| :start-time | 2006-06-18T09:06:51+09:00 |
| :victim-ip-addr | 192.168.37.180 |
| :victim-port | 1025 |
| algorithm-id | 2118064 |
| IANAProtocolId | 6 |
| Packet DestinationAddress | 192.168.37.180 |
| Packet DestinationPort | 1025 |
| Packet SourceAddress | 219.147.22.100 |