Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Distributed Transaction Controller Packet Relay DoS (MS05

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Distributed Transaction Controller Packet Relay DoS (MS05-051)
Date: 12 Oct 2005 09:13:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Distributed Transaction Controller Packet Relay DoS (MS05-051)
------------------------------------------------------------------------


SUMMARY

The Distributed Transaction Controller provides a method for disparate 
processes to complete atomic transactions. The Transaction Internet 
Protocol (TIP) is one the ways that the DTC service can be accessed. This 
service is part of a standard installation on Windows NT 4.0, Windows 
2000, Windows XP and Windows 2003.

Remote exploitation of a denial of service vulnerability within various 
versions of Microsoft Corp.'s Windows operating system allows attackers to 
flood systems with connection attempts from legitimate MSDTC servers.

DETAILS

Vulnerable Systems:
 * Microsoft Windows 2000 SP4

The vulnerability specifically exists because of the functionality in the 
TIP protocol that allows a remote IP address and port number to be 
specified for a connection. The attack can be performed by connecting to 
the MSDTC server and providing an identifier that contains the IP  address 
and port number to flood. After a specific sequence of commands, the 
attacker can force an error and cause the DTC service to connect to the 
target IP and port. The DTC service will continue to make connections to 
that host and port, one at a time, per stalled transaction.

If the target host and port provides anything other than a certain set of 
response messages to the IDENTIFY request on the connection, the DTC 
service will disconnect and then reconnect to the service. The attacker 
can keep submitting new transactions to the DTC service, increasing the  
total number of connections made to the target.

Analysis:
Successful exploitation of this vulnerability could allow an attacker to 
proxy a denial of service attack through a MSDTC server that they do not 
otherwise have access to. An attacker could easily scan public IP ranges 
and find servers with TIP enabled and then force them to flood a target 
with repeated connections attempts.

This attack can also be used to cause a DoS on the MSDTC server itself by 
specifying a loopback address with port 445. This service should not be 
exposed to public networks, thus mitigating the risk of this 
vulnerability.

Vendor response:
The vendor security advisory and appropriate patches are available at:  
<http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx> 
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1980> 
CAN-2005-1980

Disclosure Timeline:
03/23/2005 Initial vendor notification
03/23/2005 Initial vendor response
10/11/2005 Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@lists.idefense.com> iDEFENSE Labs Security 
Advisories.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=319&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=319&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Distributed Transaction Controller Packet Relay DoS (MS05-051), SecuriTeam <=
Previous by Date:  [NEWS] OpenSSL SSL 2.0 Rollback, SecuriTeam
Next by Date:  [NT] Microsoft Distributed Transaction Controller TIP DoS (MS05-051), SecuriTeam
Previous by Thread:  [NEWS] OpenSSL SSL 2.0 Rollback, SecuriTeam
Next by Thread:  [NT] Microsoft Distributed Transaction Controller TIP DoS (MS05-051), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]