Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - MS05-051 Vulnerabilities in MSDTC and COM+ InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS05-051 Vulnerabilities in MSDTC and COM+

Published: 2005-10-11
Last Updated: 2005-10-11 20:10:08 UTC
by Joshua Wright (Version: 1)
0 comment(s)
MS05-051 is actually 3 unrelated vulnerabilities wrapped into one advisory. To aid in our discussion, I split it into '05-051-A' through '05-051-C':

MS05-051-A: MSDTC Vulnerability
KB: 902400
CVE: CAN-2005-2119

MSDTC stands for "Microsoft Distributed Transaction Coordinator". This facilities allows programmers to combine updates send to several programs or systems into a "Transaction". This ensures consistency across several applications.

This vulnerability is particularly serious for Windows 2000. In the case of Windows 2000, a remote user may trigger the vulnerability without having to log in. For Windows 2k3 and XP, a user would have to log in first.

Either way, an exploit for this vulnerability would provide full system access. One of the other non-system vulnerabilities could leverage the MSDTC problem to gain full system access.

As a quick workaround, you should disable the network access to DTC. See
this MSDN Article for details. Even if you patch, you should still disable remote access to DTC if you don't need it.

Quick notes to disabled DTC:


sc stop MSDTC & sc config MSDTC start= disabled


Eeye discovered the vulnerability and provided a cookbook to write an exploit as part of its advisory. Shouldn't take too long to see this exploited.

Additional information about this vulnerability has been published by iDefense, available at http://www.idefense.com/application/poi/display?id=319

--------

MS05-051-B: COM+ Vulnerability
KB: 902400
CVE: CAN-2005-1878

COM+ is used to allocate resources to applications. By keeping for example connection pools and allocating connections as needed to processed, programs will be able to run faster as they do not have to initiate a new connection each time.

On Win2k and XP-SP1, an attacker can use this vulnerability to remotely obtain administrator privileges without having to authenticate. On XP-SP2 and Win2k3, this vulnerability can only be used to escalate privileges of a local authenticated user.

Standard firewalling procedures (UDP 135,137,138,445 and TCP 135,139,445,593) can help mitigate the vulnerability. However, if you have COM Internet services enabled, or RPC over HTTP, you will also have to firewall port 80 and 443.

Patching this vulnerability is critical for Win2k users. XP-SP1 users should patch and update to SP2 if possible. You may also want to consider disabling DCOM in addition to patching. See the MSFT bulletin for details.

----------

MS05-051-C: TIP Vulnerability and Distributed TIP Vulnerability
KB: 90240
CVE: CAN-2005-1979, CAN-2005-1980

The Transaction Internet Protocol ('TIP') is used by MSDTC (see MS05-051-A) to interface with other transaction managers. The particular vulnerability discussed here is a denial of service vulnerability which will cause TIP to seize responding if a particular crafted message is received.

Additional information about this vulnerability has been published by iDefense, available at http://www.idefense.com/application/poi/display?id=320

----------

http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

Keywords:
0 comment(s)
Diary Archives