CVE-2005-1980
published 2005-10-12CVE-2005-1980: Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction…
PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
47.34%
98.7th percentile
Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00
bytes↗
05 00 00 83 10 00 00 00 2c 05 00 00 01 00 00 00 04 05 00 00 00 00 07 00
- →The exploit targets the MSDTC service via a crafted TIP (Transaction Internet Protocol) message sent over TCP port 3372 (0xd016). Monitor for repeated outbound connection attempts from the MSDTC service (msdtc.exe) to arbitrary IPs/ports following an initial inbound connection, which is the DoS loop behaviour described. ↗
- →The exploit sends a two-stage payload: first a DCE/RPC bind packet (peer0_0, 72 bytes, starting 05 00 0b 03) then a large request packet (peer0_1, 1024 bytes, starting 05 00 00 83) containing 0xCC NOP-sled padding. Detect DCE/RPC packets with these specific headers on port 3372 targeting MSDTC. ↗
- →The malicious DCE/RPC request packet (peer0_1) contains a large run of 0xCC bytes (INT3 / NOP-sled equivalent) starting at offset ~0x80. Detect oversized MSDTC/TIP packets with repeated 0xCC byte sequences as a shellcode indicator. ↗
- →The exploit uses the MSDTC interface UUID e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da in the DCE/RPC bind and request. Detect DCE/RPC traffic binding to this specific interface UUID on port 3372. ↗
- ·The exploit author notes a low real-world success rate for code execution (~5/10+ boxes in testing), and describes it primarily as a DoS/POC. Detection focus should be on the DoS loop behaviour (MSDTC repeatedly connecting outbound) rather than assuming reliable RCE. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/17161http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://secunia.com/advisories/17509http://securitytracker.com/id?1015037http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.idefense.com/application/poi/display?id=319&type=vulnerabilitieshttp://www.securityfocus.com/bid/15059https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1136https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1182https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1203https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1253https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1325https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1413http://secunia.com/advisories/17161http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://secunia.com/advisories/17509http://securitytracker.com/id?1015037http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.idefense.com/application/poi/display?id=319&type=vulnerabilitieshttp://www.securityfocus.com/bid/15059https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1136https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1182https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1203https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1253https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1325https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1413
2005-10-12
Published