CVE-2005-2119
published 2005-10-12CVE-2005-2119: The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of…
PriorityP336medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
39.13%
98.4th percentile
The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 00 00 00 00 01 00 e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes↗
05 00 00 03 10 00 00 00 04 01 00 00 01 00 00 00 ec 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 00 00 00 00 00
- →Monitor for TCP connections to port 3372 (MSDTC default RPC port) from external or unexpected hosts, especially those sending oversized or malformed DCE/RPC bind and request packets. ↗
- →Detect DCE/RPC bind packets targeting the MSDTC interface UUID e00c6b90-0bc7-6710-b317-00dd010662da sent over TCP port 3372; the bind packet begins with bytes 05 00 0b 03 and contains the interface GUID bytes e0 0c 6b 90 0b c7 67 10 b3 17 00 dd 01 06 62 da. ↗
- →Alert on anomalous memory allocation patterns in MSDTCPRX.DLL where NdrAllocate is called with a size value inconsistent with a 4K page boundary, which may indicate exploitation of the MIDL_user_allocate size mismatch. ↗
- ·Exploit reliability is low; the PoC author notes only ~50% success rate across tested systems, making this more of a DoS than a reliable RCE vector in practice. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jmff-53w8-2jwr: The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX
ghsa_unreviewed·2022-05-01
CVE-2005-2119 [MEDIUM] GHSA-jmff-53w8-2jwr: The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX
The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.
GHSA
GHSA-2f5f-jxgm-vf88: Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2006-1184 [MEDIUM] GHSA-2f5f-jxgm-vf88: Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4
Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0, 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to cause a denial of service (crash) via a BuildContextW request with a large (1) UuidString or (2) GuidIn of a certain length, which causes an out-of-range memory access, aka the MSDTC Denial of Service Vulnerability. NOTE: this is a variant of CVE-2005-2119.
No detection rules found.
Exploit-DB
Microsoft Windows - DTC Remote (MS05-051) (2)
exploitdb·2005-12-01
CVE-2005-2119 Microsoft Windows - DTC Remote (MS05-051) (2)
Microsoft Windows - DTC Remote (MS05-051) (2)
---
/*
Hard to exploit, isn't it? I have tested it on 10+ box, most of them allocated 0x9X0058 for
me, however, I cannot write the pointer to 0x7ffdf020 since the length I can control should be
divided exactly by 8 (merde), so I choose 0x684191c4.
This following program is mostly like a D.O.S. 10+ blackbox were tested, only 5 were owned,
and I think the successful rate should be much lower in real circumstance.
I mark it as a POC and wish someone (no hat) could supply us a much better exploit. It is
said that this fault could be steered clear of and another segfault is consequently triggered,
so...
Any mails are welcome but spam, I need NO viagra. Je suis celibataire.
Greetz:
All SST guys, I love your bald heads that never hatted.
Shuo Yang
Exploit-DB
Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)
exploitdb·2005-11-27
CVE-2005-2119 Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)
Microsoft Windows - MSDTC Service Remote Memory Modification (PoC) (MS05-051)
---
/*
\ MSDTC remote PoC exploit
/ by Darkeagle
\
/
\ Unl0ck Research Team
/
\
/ Greetingz: all UKT boys, 0x557 guys, Sowhat, GHC/RST guys
\
/ Exploit tested on: Windows 2000 Professional Russian Service Pack 4
\
/ http://exploiterz.org || http://55k7.org
\
/ Reference: http://security.nnov.ru/Jdocument906.html
\
/ ."by default on all Windows 2000 systems."
\ it's false: by default in my system msdtc service turned off.
*/
#include
#include
#include
#include
unsigned char packet1[] =
"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00"
"\x00\x00\x01\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x01\x00\xe0\x0c\x6b\x90\x0b\xc7\x67\x10\xb3\x17"
"\x00\xdd\x01\x06\x62\xda\x01\x00\x00\x00\x04\x5d\x
No writeups or analysis indexed.
http://secunia.com/advisories/17161http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://secunia.com/advisories/17509http://securityreason.com/securityalert/73http://securitytracker.com/id?1015037http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.eeye.com/html/research/advisories/AD20051011b.htmlhttp://www.kb.cert.org/vuls/id/180868http://www.osvdb.org/18828http://www.securityfocus.com/bid/15056http://www.us-cert.gov/cas/techalerts/TA05-284A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1071https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1452https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A551http://secunia.com/advisories/17161http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://secunia.com/advisories/17509http://securityreason.com/securityalert/73http://securitytracker.com/id?1015037http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.eeye.com/html/research/advisories/AD20051011b.htmlhttp://www.kb.cert.org/vuls/id/180868http://www.osvdb.org/18828http://www.securityfocus.com/bid/15056http://www.us-cert.gov/cas/techalerts/TA05-284A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1071https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1452https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A551
2005-10-12
Published