【Exploit】MSRPC_MSDTC_Message_GUID_BO

テーマ:

MSDTC message buffer overflow (MSRPC_MSDTC_Message_GUID_BO)

About this signature or vulnerability

Proventia G-Series, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network Sensor, BlackICE PC Protection, BlackICE Agent for Server, BlackICE Server Protection, Proventia Server for Windows, Proventia M-Series:

This signature looks for a specially-crafted MSRPC MSDTC Request that is used to conduct a buffer overflow.



Default risk level

High

Sensors that have this signature

Proventia G-Series: XPU 24.38, Proventia Desktop: 8.0.812.1770, Proventia Network IPS: XPU 1.77, RealSecure Server Sensor: XPU 24.38, RealSecure Network Sensor: XPU 24.38, BlackICE PC Protection: 3.6cpi, BlackICE Agent for Server: 3.6epi, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770, Proventia M-Series: XPU 1.77

Systems affected

Windows 2000: SP4, Windows XP: SP1, Windows Server: 2003, Windows Server 2003: SP1 Itanium, CallPilot: Any Version, Windows Server 2003: Itanium

Type

Unauthorized Access Attempt

Vulnerability description

The Microsoft Distributed Transaction Service Coordinator (MSDTC) could allow a remote attacker to execute arbitrary code on the system, caused by a buffer overflow in the MSDTC. On Windows 2000, a remote attacker could send a specially-crafted network message and execute arbitrary code on the system. On Windows XP SP1 and Windows Server 2003, a local attacker could run a program followed by a specially-crafted application to gain elevated privileges and execute arbitrary code on the system.

Note: On Windows XP SP1, the vulnerability can be exploited remotely if the MSDTC is started. On Windows Server 2003, if support for Network DTC Access has been enabled, the vulnerability can be exploited remotely.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.

For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS05-051, which was superceded by the patch released with MS06-018.

For CallPilot:
Apply the fix as listed in Security Advisory P-2005-0056-Global, available from the Nortel Networks Web site. See References. A login account is required for access.


References

Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
http://www.microsoft.com/technet/security/bulletin/ms05-051.mspx  

Internet Security Systems Protection Alert October 11, 2005
Multiple Microsoft Vulnerabilities ・October 2005
http://xforce.iss.net/xforce/alerts/id/206  

Security Advisory P-2005-0056-Global
Nortel Networks: Log In Required
http://www.nortel.com/  

Microsoft Security Bulletin MS06-018
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx  

ISS X-Force
MSDTC message buffer overflow
http://www.iss.net/security_center/static/22467.php  

CVE
CVE-2005-2119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2119  



■検知

Date/Time 2006-06-18 09:07:52 JST
Tag Name MSRPC_MSDTC_Message_GUID_BO
Alert Name MSRPC_MSDTC_Message_GUID_BO
Severity High
Observance Type Intrusion Detection
Combined Event Count 16
Cleared Flag false
Target IP Address 192.168.37.180
Target Object Name 1025
Target Object Type Target Port
Source IP Address 219.147.22.100
Sensor IP Address 10.4.6.100
Sensor Name network_sensor_1
:end-time 2006-06-18T09:07:32+09:00
:intruder-ip-addr 219.147.22.100
:len 16
:Opnum 0x7
:repeat-count 16
:start-time 2006-06-18T09:06:51+09:00
:victim-ip-addr 192.168.37.180
:victim-port 1025
algorithm-id 2118064
IANAProtocolId 6
Packet DestinationAddress 192.168.37.180
Packet DestinationPort 1025
Packet SourceAddress 219.147.22.100

AD