OSVDB ID: 25335

Title: Microsoft Windows Distributed Transaction Coordinator (DTC) CRpcIoManagerServer::BuildContext Function Remote Overflow

Info

Disclosure

May 09, 2006

Discovery

Oct 11, 2005

Dates

Exploit

Unknown

Solution

May 09, 2006

Description

Windows Systems for which the MS05-051 patch was not released ( NT4 and W2K SP2&3 ) were found to be vulnerable to a remotely exploitable SYSTEM level compromise through the same DTC RPC Service as previously described. This is accomplished via a complex heap overflow through the 5th argument to BuildContext or BuildContextW, depending upon the O/S version. This is enabled by default and thus classed as critical.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity, Loss of Availability
Solution: Patch / RCS
Disclosure: OSVDB Verified, Vendor Verified

Solution

Since these platforms are no longer officially supported by Microsoft ( except for those with Legacy Support contracts ) there is no publically available fix for these issues.

Products

Microsoft Corporation	Windows	2000 SP3
		2000 SP2
		NT 4.0

References

Bugtraq ID: 17905
Secunia Advisory ID: 20000
CVE ID: 2006-0034 (see also: NVD)
SCIP VulDB ID: 2218
Related OSVDB ID: 25336
Microsoft Knowledge Base Article: 913580
Keyword: EEYEB20051011A
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0238.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0269.html
Other Advisory URL: http://research.eeye.com/html/advisories/published/AD20060509a.html
http://www.eeye.com/html/research/advisories/AD20060509a.html [ Link is 404 ]
Microsoft Security Bulletin: MS06-018

Credit

Derek Soeder - dsoedereeye.com - eEye Digital Security
Kai Zhang - VenusTech

Direct URL: http://osvdb.org/25335

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Windows

References

Credit