cbcvebase.
CVE-2005-2119
published 2005-10-12

CVE-2005-2119: The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of…

PriorityP336medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
39.13%
98.4th percentile
The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.

Affected

9 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port3372
filenameMSDTCPRX.DLL
bytes
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 00 00 00 00 01 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes
05 00 00 03 10 00 00 00 04 01 00 00 01 00 00 00 ec 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00
  • Monitor for TCP connections to port 3372 (MSDTC default RPC port) from external or unexpected hosts, especially those sending oversized or malformed DCE/RPC bind and request packets.
  • Detect DCE/RPC bind packets targeting the MSDTC interface UUID e00c6b90-0bc7-6710-b317-00dd010662da sent over TCP port 3372; the bind packet begins with bytes 05 00 0b 03 and contains the interface GUID bytes e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da.
  • Alert on anomalous memory allocation patterns in MSDTCPRX.DLL where NdrAllocate is called with a size value inconsistent with a 4K page boundary, which may indicate exploitation of the MIDL_user_allocate size mismatch.
  • ·Exploit reliability is low; the PoC author notes only ~50% success rate across tested systems, making this more of a DoS than a reliable RCE vector in practice.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.