Microsoft Windows MSDTC 堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195080 漏洞类型 缓冲区错误
发布时间 2006-05-09 更新时间 2006-05-15
CVE编号 CVE-2006-0034 CNNVD-ID CNNVD-200605-148
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/17906
https://cxsecurity.com/issue/WLB-2006050060
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-148
|漏洞详情
Microsoft Windows是美国微软(Microsoft)公司发布的一系列操作系统。 Windows系统的MSDTC进程处理畸形的DCE-RPC请求时存在漏洞,远程攻击者可能利用此漏洞对服务器执行拒绝服务攻击。 在MSDTC.EXE进程中MSDTCPRX.DLL起到了RPC Server的作用,使用动态TCP端口做为其RPC端点,{906B0CE0-C70B-1067-B317-00DD010662DA} v1.0作为其唯一的接口。由于缺少输入验证,函数CRpcIoManagerServer::BuildContext中存在堆溢出漏洞。具体的说,该函数试图用空的GUID字符串覆盖其pszGuidOut参数(相当于传送给BuildContext/BuildContextW的第五个字符串参数)。由于在字符串拷贝之前没有检查目标字符串的长度,因此可能覆盖包含有RPC存根(stub)数据的堆块。 在NT 4.0中有漏洞的拷贝操作是"strcpy(arg_10, pszNULL_GUID)"调用,在Windows 2000中是"wcscpy(arg_28, pwszNULL_GUID)"调用。
|漏洞EXP
Microsoft Distributed Transaction Coordinator Heap Overflow
http://www.eeye.com/html/research/advisories/AD20060509a.html

Release Date:
May 9, 2006

Date Reported:
October 11, 2005

Patch Development Time (In Days):
210

Severity:
High (Remote Code Execution)

Systems Affected:
Windows NT 4.0
Windows 2000 SP2 and SP3

Overview:
eEye Digital Security has discovered a second vulnerability in the
Microsoft Distributed Transaction Coordinator that could allow an
attacker to take complete control over a vulnerable system to which he
has network or local access. The vulnerable MSDTC component is an RPC
server which is network accessible by default on Windows NT 4.0 Server
and Windows 2000 Server systems, over a dynamic high TCP port.

This vulnerability is separate from the "Microsoft Distributed
Transaction Coordinator Memory Modification Vulnerability" issue we
published in October 2005, most significantly in that this second
vulnerability affects NT 4.0 whereas the previous one did not. The patch
released with Microsoft Security Bulletin MS05-051 resolved both
vulnerabilities, although this patch was not previously released for NT
4.0 or Windows 2000 SP2 or SP3. Windows 2000 SP4 and Windows XP systems
without the MS05-051 hotfix installed are affected as well; Windows
Server 2003 systems are immune.

Technical Details:
MSDTCPRX.DLL functions as an RPC server inside the MSDTC.EXE process,
with a dynamic TCP port as its RPC endpoint and
{906B0CE0-C70B-1067-B317-00DD010662DA} v1.0 as the sole interface it
provides. The function CRpcIoManagerServer::BuildContext, as called from
BuildContextW (opnum 7) on Windows 2000 and Windows XP, and BuildContext
(opnum 1) on Windows NT 4.0, contains a heap overflow vulnerability due
to a lack of input validation. Specifically, it attempts to overwrite
its "pszGuidOut" argument, which corresponds to the fifth string
argument passed into BuildContext / BuildContextW, with a null GUID
string. Because the length of the destination string is not checked
prior to the string copy, the heap block containing the RPC stub data
can be overflowed, potentially corrupting the adjacent heap block.

The vulnerable copy operation is an intrinsic "strcpy(arg_10,
pszNULL_GUID)" on NT 4.0, and a "wcscpy(arg_28, pwszNULL_GUID)" call on
Windows 2000. Although the overwrite data itself is not controllable,
the amount of spillover is, and therefore a carefully engineered
overwrite is able to mutilate the adjacent heap block in an exploitable
way.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively
protects from this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability, but it is only
available to customers who have entered into a custom support agreement
with Microsoft. For more information, please visit:
http://www.microsoft.com/ntserver/ProductInfo/Availability/faq.asp#8

Credit:
Derek Soeder

Greetings:
The folks who attended eEye Coast to Coast. Adams Morgan, Georgetown,
and the Capital Grille. The ASCII slide, the BV, and RITD. Mudge, Gene
and Josh, JB, RC, and the Snub. Snow. The exploding pink ball of oozing
doom.

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert (at) eEye (dot) com [email concealed] for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
|受影响的产品
Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Media Cent
|参考资料

来源:BID
名称:17906
链接:http://www.securityfocus.com/bid/17906
来源:BUGTRAQ
名称:20060509[EEYEB20051011A]-MicrosoftDistributedTransactionCoordinatorHeapOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/433430/100/0/threaded
来源:MS
名称:MS06-018
链接:http://www.microsoft.com/technet/security/bulletin/ms06-018.mspx
来源:VUPEN
名称:ADV-2006-1742
链接:http://www.frsirt.com/english/advisories/2006/1742
来源:MISC
链接:http://www.eeye.com/html/research/advisories/AD20060509a.html
来源:SECUNIA
名称:20000
链接:http://secunia.com/advisories/20000
来源:XF
名称:msdtc-network-message-dos(25559)
链接:http://xforce.iss.net/xforce/xfdb/25559
来源:BUGTRAQ
名称:20060511MicrosoftMSDTCNdrAllocateValidationVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/433677/100/0/threaded
来源:OSVDB
名称:25335
链接:http://www.osvdb.org/25335
来源:SECTRACK
名称:1016047
链接:http://securitytracker.com/id?1016047
来源:FULLDISC
名称:20060510MicrosoftMSDTCNdrAllocateValidationVulnerability
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006