OSVDB ID: 18828

Title: Microsoft Windows Distributed Transaction Coordinator (DTC) Memory Modification Remote Code Execution

Info

Disclosure

Oct 11, 2005

Discovery

Unknown

Dates

Exploit

Nov 25, 2005

Solution

Oct 11, 2005

Description

Microsoft Windows contains a flaw that may allow a remote attacker to gain privileges. The issue is due to the MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocating a 4K page of memory regardless of the required size, which allows an attacker to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.

Classification

Location: Remote / Network Access
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: Vendor Verified

Solution

Products

Unknown or Incomplete

References

Security Tracker: 1015037
Milw0rm: 1341
Exploit Database: 1341
Secunia Advisory ID: 17161 17172 17223 17509
CVE ID: 2005-2119 (see also: NVD)
Keyword: 2005006318 EEYEB-20050708
Microsoft Knowledge Base Article: 902400
Mail List Post: http://archives.neohapsis.com:80/archives/vulnwatch/2005-q4/0010.html
Other Advisory URL: http://research.eeye.com/html/advisories/published/AD20051011b.html
http://www.eeye.com/html/research/advisories/AD20051011b.html [ Link is 404 ]
Vendor Specific Advisory URL: http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=361442&RenditionID=
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=366956&RenditionID=
Vendor URL: http://www.microsoft.com/
Generic Exploit URL: http://www.securiteam.com/exploits/6D00N2KEKW.html
News Article: http://www.smh.com.au/news/breaking/more-attack-code-released-for-windows-flaws/2005/11/29/1133026443579.html
Microsoft Security Bulletin: MS05-051

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/18828