cbcvebase.
CVE-2005-1979
published 2005-10-12

CVE-2005-1979: Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an…

PriorityP428medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
36.28%
98.3th percentile
Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

port3372
commandIDENTIFY 3 3 DST_IP:DST_PORT/ANYID -
commandPUSH SOMESTRING
commandPREPARE
commandRECONNECT
bytes
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 00 00 00 00 01 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes
05 00 00 83 10 00 00 00 2c 05 00 00 01 00 00 00 04 05 00 00 00 00 07 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da
  • The exploit targets the MSDTC TIP (Transaction Internet Protocol) functionality. Monitor for unexpected inbound TCP connections to the MSDTC TIP port (0x16d0 = port 5840 in the RPC bind, or the well-known MSDTC port 3372) containing the RPC bind header byte sequence 05 00 0b 03 followed by the MSDTC interface UUID e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da.
  • The DoS payload (peer0_1) contains a large NOP/INT3 sled of 0xCC bytes. Detect network payloads to MSDTC containing long runs of 0xCC bytes following the RPC request header (05 00 00 83).
  • The TIP-based DoS attack sequence uses the TIP commands IDENTIFY, PUSH, PREPARE, and RECONNECT in sequence over TCP. Alert on TIP sessions that issue a RECONNECT command after PREPARE, as this is the 'unexpected protocol command during the reconnection request' described in the CVE.
  • This vulnerability is remotely exploitable on default configurations on Windows 2000 via TIP. On Windows XP and Server 2003, TIP must be explicitly enabled. Prioritize detection on Windows 2000 hosts with MSDTC exposed to the network.
  • ·TIP protocol support must be enabled on the target for the vulnerability to be exploitable. On Windows XP and Windows Server 2003, TIP is disabled by default, so the attack surface only exists if TIP has been manually enabled.
  • ·The exploit author notes a low real-world success rate for the RCE variant (~50% in lab, expected lower in the wild); the primary reliable outcome is denial of service (MSDTC service crash), not code execution.
  • ·Microsoft reported that installing the MS05-051 patch itself caused problems on several systems. Refer to KB909444 before deploying the patch in production.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.