Vulnerabilities > CVE-2005-1980 - Unspecified vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 9 |
Exploit-Db
| description | Microsoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated). CVE-2005-1978,CVE-2005-1979,CVE-2005-1980,CVE-2005-2119. Remote exploit for windows platform |
| id | EDB-ID:1352 |
| last seen | 2016-01-31 |
| modified | 2005-12-01 |
| published | 2005-12-01 |
| reporter | Swan |
| source | https://www.exploit-db.com/download/1352/ |
| title | Microsoft Windows DTC Remote Exploit PoC MS05-051 updated |
Nessus
NASL family Windows NASL id SMB_KB902400.NASL description The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that has several remote code execution, local privilege escalation, and denial of service vulnerabilities. An attacker may exploit these flaws to obtain the complete control of the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 20008 published 2005-10-12 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20008 title MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20008); script_version("1.34"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id( "CVE-2005-2119", "CVE-2005-1978", "CVE-2005-1979", "CVE-2005-1980" ); script_bugtraq_id(15059, 15058, 15057, 15056); script_xref(name:"MSFT", value:"MS05-051"); script_xref(name:"MSKB", value:"902400"); script_name(english:"MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check)"); script_summary(english:"Determines the presence of update 902400 (remote check)"); script_set_attribute(attribute:"synopsis", value:"A vulnerability in MSDTC could allow remote code execution."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that has several remote code execution, local privilege escalation, and denial of service vulnerabilities. An attacker may exploit these flaws to obtain the complete control of the remote host." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-051"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/12"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:msdtc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("dcetest.nasl"); script_require_keys("Services/DCE/906b0ce0-c70b-1067-b317-00dd010662da"); exit(0); } # include ('smb_func.inc'); port = get_kb_item ("Services/DCE/906b0ce0-c70b-1067-b317-00dd010662da"); if (!port) exit (0); if (!get_port_state (port)) exit (0); context_handles = get_kb_list ("DCE/906b0ce0-c70b-1067-b317-00dd010662da/context_handle"); if (isnull(context_handles)) exit (0); foreach context_handle (context_handles) { if (!isnull(context_handle)) break; } if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp (port); if (!soc) exit (0); host_ip = get_host_ip(); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"906b0ce0-c70b-1067-b317-00dd010662da", vers:1); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) || (ret != 0)) { close (soc); exit (0); } session_set_unicode (unicode:1); data = raw_dword (d:0) + # Type 1 raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) + # need a valid context handle to pass the first check class_name (name:context_handle) + # a patched version will first check if the length is less than 0x0F class_name (name:crap(data:"B", length:17)) + # need to be 37 bytes long to be a valid RPC packet # [size_is(37)] [in] [string] wchar_t * element_57, # [size_is(37)] [in] [string] wchar_t * element_58, class_name (name:crap(data:"A", length:36)) + class_name (name:crap(data:"A", length:36)) + class_name (name:"tns") + # Type 2 raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) + # [in] [range(8,8)] long element_65, # [size_is(element_65)] [in] char element_66, # range restriction is only present in the Windows XP/2003 version raw_dword (d:8) + raw_dword (d:8) + crap (data:raw_string(0), length:8) ; ret = dce_rpc_request (code:0x07, data:data); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); resp = dce_rpc_parse_response (data:resp); if (strlen(resp) > 8) { val = get_dword (blob:resp, pos:strlen(resp)-4); if (val == 0x80070057) { if (strlen(resp) < 16) exit (0); len = get_dword (blob:resp, pos:0); offset = get_dword (blob:resp, pos:4); actual_len = get_dword (blob:resp, pos:8); uuid = get_string2 (blob:resp, pos:12, len:len*2); # a vulnerable version reply with an uuid of 000... # a patched version with our original buffer (tns) if (uuid == "00000000-0000-0000-0000-000000000000") security_hole(port); } }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS05-051.NASL description The remote version of Windows contains a version of MSDTC and COM+ that is affected by several remote code execution, local privilege escalation and denial of service vulnerabilities. An attacker may exploit these flaws to obtain the complete control of the remote host. last seen 2020-06-01 modified 2020-06-02 plugin id 20004 published 2005-10-11 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20004 title MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20004); script_version("1.38"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2005-2119", "CVE-2005-1978", "CVE-2005-1979", "CVE-2005-1980"); script_bugtraq_id(15059, 15058, 15057, 15056); script_xref(name:"MSFT", value:"MS05-051"); script_xref(name:"CERT", value:"180868"); script_xref(name:"CERT", value:"950516"); script_xref(name:"EDB-ID", value:"1341"); script_xref(name:"MSKB", value:"902400"); script_name(english:"MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)"); script_summary(english:"Determines the presence of update 902400"); script_set_attribute(attribute:"synopsis", value:"A vulnerability in MSDTC and COM+ could allow remote code execution."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a version of MSDTC and COM+ that is affected by several remote code execution, local privilege escalation and denial of service vulnerabilities. An attacker may exploit these flaws to obtain the complete control of the remote host."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-051"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS05-051'; kb = '902400'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"ole32.dll", version:"5.2.3790.374", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:1, file:"ole32.dll", version:"5.2.3790.2492", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"ole32.dll", version:"5.1.2600.1720", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"ole32.dll", version:"5.1.2600.2726", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"ole32.dll", version:"5.0.2195.7059", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2011-05-16T04:00:23.267-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." family windows id oval:org.mitre.oval:def:1136 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Distributed TIP Request Validation Process Permits Denial of Service (Server 2003,SP1) version 69 accepted 2011-05-16T04:00:28.691-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Dragos Prisaca organization Gideon Technologies, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." family windows id oval:org.mitre.oval:def:1182 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Distributed TIP Request Validation Process Permits Denial of Service (XP,SP2) version 70 accepted 2011-05-16T04:00:31.953-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." family windows id oval:org.mitre.oval:def:1203 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Distributed TIP Request Validation Process Permits Denial of Service (WinXP,SP1) version 69 accepted 2011-05-16T04:00:41.434-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." family windows id oval:org.mitre.oval:def:1253 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Distributed TIP Request Validation Process Permits Denial of Service (Win2k,SP4) version 68 accepted 2011-05-16T04:00:51.603-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." family windows id oval:org.mitre.oval:def:1325 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Distributed TIP Request Validation Process Permits Denial of Service (64-bit XP,SP1) version 69 accepted 2011-05-16T04:00:56.274-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Jonathan Baker organization The MITRE Corporation name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." family windows id oval:org.mitre.oval:def:1413 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Distributed TIP Request Validation Process Permits Denial of Service (Server 2003) version 69
References
- http://www.idefense.com/application/poi/display?id=319&type=vulnerabilities
- http://www.securityfocus.com/bid/15059
- http://securitytracker.com/id?1015037
- http://secunia.com/advisories/17161
- http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
- http://secunia.com/advisories/17172
- http://secunia.com/advisories/17223
- http://secunia.com/advisories/17509
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1413
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1325
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1253
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1203
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1182
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1136
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-051