CVE-2005-1979
published 2005-10-12CVE-2005-1979: Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an…
PriorityP428medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
36.28%
98.3th percentile
Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 00 00 00 00 01 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes↗
05 00 00 83 10 00 00 00 2c 05 00 00 01 00 00 00 04 05 00 00 00 00 07 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da
- →The exploit targets the MSDTC TIP (Transaction Internet Protocol) functionality. Monitor for unexpected inbound TCP connections to the MSDTC TIP port (0x16d0 = port 5840 in the RPC bind, or the well-known MSDTC port 3372) containing the RPC bind header byte sequence 05 00 0b 03 followed by the MSDTC interface UUID e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da. ↗
- →The DoS payload (peer0_1) contains a large NOP/INT3 sled of 0xCC bytes. Detect network payloads to MSDTC containing long runs of 0xCC bytes following the RPC request header (05 00 00 83). ↗
- →The TIP-based DoS attack sequence uses the TIP commands IDENTIFY, PUSH, PREPARE, and RECONNECT in sequence over TCP. Alert on TIP sessions that issue a RECONNECT command after PREPARE, as this is the 'unexpected protocol command during the reconnection request' described in the CVE. ↗
- →This vulnerability is remotely exploitable on default configurations on Windows 2000 via TIP. On Windows XP and Server 2003, TIP must be explicitly enabled. Prioritize detection on Windows 2000 hosts with MSDTC exposed to the network. ↗
- ·TIP protocol support must be enabled on the target for the vulnerability to be exploitable. On Windows XP and Windows Server 2003, TIP is disabled by default, so the attack surface only exists if TIP has been manually enabled. ↗
- ·The exploit author notes a low real-world success rate for the RCE variant (~50% in lab, expected lower in the wild); the primary reliable outcome is denial of service (MSDTC service crash), not code execution. ↗
- ·Microsoft reported that installing the MS05-051 patch itself caused problems on several systems. Refer to KB909444 before deploying the patch in production. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - DTC Remote (MS05-051) (2)
exploitdb·2005-12-01
CVE-2005-2119 Microsoft Windows - DTC Remote (MS05-051) (2)
Microsoft Windows - DTC Remote (MS05-051) (2)
---
/*
Hard to exploit, isn't it? I have tested it on 10+ box, most of them allocated 0x9X0058 for
me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be
divided exactly by 8 (merde), so I choose 0x684191c4.
This following program is mostly like a D.O.S. 10+ blackbox were tested, only 5 were owned,
and I think the successful rate should be much lower in real circumstance.
I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is
said that this fault could be steered clear of and another segfault is consequently triggered,
so...
Any mails are welcome but spam, I need NO viagra. Je suis celibataire.
Greetz:
All SST guys, I love your bald heads that never hatted.
Shuo Yang
Exploit-DB
Microsoft Windows XP/2000/2003 - MSDTC TIP Denial of Service (MS05-051)
exploitdb·2005-10-11
CVE-2005-1979 Microsoft Windows XP/2000/2003 - MSDTC TIP Denial of Service (MS05-051)
Microsoft Windows XP/2000/2003 - MSDTC TIP Denial of Service (MS05-051)
---
source: https://www.securityfocus.com/bid/15058/info
The Microsoft Windows MSDTC (Microsoft Distribution Transaction Coordinator) service is prone to a denial of service vulnerability.
The vulnerability exists in the TIP (Transaction Internet Protocol) functionality that is provided by MSDTC. This vulnerability may be exploited by a remote attacker to deny the availability of services that depend on MSDTC.
This issue only exists on operating systems that have support for the TIP protocol enabled. This vulnerability is remotely exploitable on default configurations on Windows 2000. TIP is not enabled by default on Windows XP and Windows Server 2003 even if the MSDTC service is running.
Update: Microsoft report
No writeups or analysis indexed.
http://secunia.com/advisories/17161http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://secunia.com/advisories/17509http://securitytracker.com/id?1015037http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.idefense.com/application/poi/display?id=320&type=vulnerabilitieshttp://www.securityfocus.com/bid/15058https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1134https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1283https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1338https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1513https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1550https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A686http://secunia.com/advisories/17161http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://secunia.com/advisories/17509http://securitytracker.com/id?1015037http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.idefense.com/application/poi/display?id=320&type=vulnerabilitieshttp://www.securityfocus.com/bid/15058https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1134https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1283https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1338https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1513https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1550https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A686
2005-10-12
Published