MSDTC message buffer overflow (MSRPC_MSDTC_Message_GUID_BO)

About this signature or vulnerability

Proventia G-Series, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network Sensor, BlackICE PC Protection, BlackICE Agent for Server, BlackICE Server Protection, Proventia Server for Windows, Proventia M-Series:

This signature looks for a specially-crafted MSRPC MSDTC Request that is used to conduct a buffer overflow.

Default risk level


Sensors that have this signature

Proventia G-Series: XPU 24.38, Proventia Desktop: 8.0.812.1770, Proventia Network IPS: XPU 1.77, RealSecure Server Sensor: XPU 24.38, RealSecure Network Sensor: XPU 24.38, BlackICE PC Protection: 3.6cpi, BlackICE Agent for Server: 3.6epi, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770, Proventia M-Series: XPU 1.77

Systems affected

Windows 2000: SP4, Windows XP: SP1, Windows Server: 2003, Windows Server 2003: SP1 Itanium, CallPilot: Any Version, Windows Server 2003: Itanium


Unauthorized Access Attempt

Vulnerability description

The Microsoft Distributed Transaction Service Coordinator (MSDTC) could allow a remote attacker to execute arbitrary code on the system, caused by a buffer overflow in the MSDTC. On Windows 2000, a remote attacker could send a specially-crafted network message and execute arbitrary code on the system. On Windows XP SP1 and Windows Server 2003, a local attacker could run a program followed by a specially-crafted application to gain elevated privileges and execute arbitrary code on the system.

Note: On Windows XP SP1, the vulnerability can be exploited remotely if the MSDTC is started. On Windows Server 2003, if support for Network DTC Access has been enabled, the vulnerability can be exploited remotely.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.

For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS05-051, which was superceded by the patch released with MS06-018.

For CallPilot:
Apply the fix as listed in Security Advisory P-2005-0056-Global, available from the Nortel Networks Web site. See References. A login account is required for access.


Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)  

Internet Security Systems Protection Alert October 11, 2005
Multiple Microsoft Vulnerabilities ・October 2005  

Security Advisory P-2005-0056-Global
Nortel Networks: Log In Required  

Microsoft Security Bulletin MS06-018
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)  

ISS X-Force
MSDTC message buffer overflow  



Date/Time 2006-06-18 09:07:52 JST
Alert Name MSRPC_MSDTC_Message_GUID_BO
Severity High
Observance Type Intrusion Detection
Combined Event Count 16
Cleared Flag false
Target IP Address
Target Object Name 1025
Target Object Type Target Port
Source IP Address
Sensor IP Address
Sensor Name network_sensor_1
:end-time 2006-06-18T09:07:32+09:00
:len 16
:Opnum 0x7
:repeat-count 16
:start-time 2006-06-18T09:06:51+09:00
:victim-port 1025
algorithm-id 2118064
IANAProtocolId 6
Packet DestinationAddress
Packet DestinationPort 1025
Packet SourceAddress