Vulnerabilities > CVE-2005-1980 - Denial Of Service vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available

Summary

Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."

Exploit-Db

descriptionMicrosoft Windows DTC Remote Exploit (PoC) (MS05-051) (updated). CVE-2005-1978,CVE-2005-1979,CVE-2005-1980,CVE-2005-2119. Remote exploit for windows platform
idEDB-ID:1352
last seen2016-01-31
modified2005-12-01
published2005-12-01
reporterSwan
sourcehttps://www.exploit-db.com/download/1352/
titleMicrosoft Windows DTC Remote Exploit PoC MS05-051 updated

Nessus

  • NASL familyWindows
    NASL idSMB_KB902400.NASL
    descriptionThe remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that has several remote code execution, local privilege escalation, and denial of service vulnerabilities. An attacker may exploit these flaws to obtain the complete control of the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id20008
    published2005-10-12
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20008
    titleMS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(20008);
     script_version("1.34");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id(
       "CVE-2005-2119",
       "CVE-2005-1978",
       "CVE-2005-1979",
       "CVE-2005-1980"
     );
     script_bugtraq_id(15059, 15058, 15057, 15056);
     script_xref(name:"MSFT", value:"MS05-051");
     script_xref(name:"MSKB", value:"902400");
    
     script_name(english:"MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check)");
     script_summary(english:"Determines the presence of update 902400 (remote check)");
    
     script_set_attribute(attribute:"synopsis", value:"A vulnerability in MSDTC could allow remote code execution.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a version of MSDTC (Microsoft
    Data Transaction Coordinator) service that has several remote code
    execution, local privilege escalation, and denial of service
    vulnerabilities.
    
    An attacker may exploit these flaws to obtain the complete control of
    the remote host." );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-051");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP and
    2003." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/12");
     script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/12");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:msdtc");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("dcetest.nasl");
     script_require_keys("Services/DCE/906b0ce0-c70b-1067-b317-00dd010662da");
     exit(0);
    }
    
    #
    
    include ('smb_func.inc');
    
    port = get_kb_item ("Services/DCE/906b0ce0-c70b-1067-b317-00dd010662da");
    if (!port)
      exit (0);
    
    if (!get_port_state (port))
      exit (0);
    
    context_handles = get_kb_list ("DCE/906b0ce0-c70b-1067-b317-00dd010662da/context_handle");
    if (isnull(context_handles))
      exit (0);
    
    foreach context_handle (context_handles)
    {
     if (!isnull(context_handle))
       break;
    }
    
    if ( ! get_port_state(port) ) exit(0);
    soc = open_sock_tcp (port);
    if (!soc) exit (0);
    
    host_ip = get_host_ip();
    
    ret = dce_rpc_bind(cid:session_get_cid(), uuid:"906b0ce0-c70b-1067-b317-00dd010662da", vers:1);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    if (!resp)
    {
     close (soc);
     exit (0);
    }
    
    ret = dce_rpc_parse_bind_ack (data:resp);
    if (isnull (ret) || (ret != 0))
    {
     close (soc);
     exit (0);
    }
    
    session_set_unicode (unicode:1);
    
    data = raw_dword (d:0) +
    
           # Type 1
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
    
           # need a valid context handle to pass the first check
           class_name (name:context_handle) +
           # a patched version will first check if the length is less than 0x0F
           class_name (name:crap(data:"B", length:17)) +
    
           # need to be 37 bytes long to be a valid RPC packet
           # [size_is(37)] [in]  [string] wchar_t * element_57,
           # [size_is(37)] [in]  [string] wchar_t * element_58,
           class_name (name:crap(data:"A", length:36)) +
           class_name (name:crap(data:"A", length:36)) +
    
           class_name (name:"tns") +
    
           # Type 2
           raw_dword (d:0) +
           raw_dword (d:0) +
           raw_dword (d:0) +
    
           # [in]  [range(8,8)] long  element_65,
           # [size_is(element_65)] [in]  char  element_66,
           # range restriction is only present in the Windows XP/2003 version
           raw_dword (d:8) +
           raw_dword (d:8) +
           crap (data:raw_string(0), length:8)
     ;
    
    
    ret = dce_rpc_request (code:0x07, data:data);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    resp = dce_rpc_parse_response (data:resp);
    
    if (strlen(resp) > 8)
    {
     val = get_dword (blob:resp, pos:strlen(resp)-4);
     if (val == 0x80070057)
     {
      if (strlen(resp) < 16)
        exit (0);
    
      len = get_dword (blob:resp, pos:0);
      offset = get_dword (blob:resp, pos:4);
      actual_len = get_dword (blob:resp, pos:8);
    
      uuid = get_string2 (blob:resp, pos:12, len:len*2);
      # a vulnerable version reply with an uuid of 000...
      # a patched version with our original buffer (tns)
      if (uuid == "00000000-0000-0000-0000-000000000000")
        security_hole(port);
     }
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS05-051.NASL
    descriptionThe remote version of Windows contains a version of MSDTC and COM+ that is affected by several remote code execution, local privilege escalation and denial of service vulnerabilities. An attacker may exploit these flaws to obtain the complete control of the remote host.
    last seen2020-06-01
    modified2020-06-02
    plugin id20004
    published2005-10-11
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20004
    titleMS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(20004);
     script_version("1.38");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id("CVE-2005-2119", "CVE-2005-1978", "CVE-2005-1979", "CVE-2005-1980");
     script_bugtraq_id(15059, 15058, 15057, 15056);
     script_xref(name:"MSFT", value:"MS05-051");
     script_xref(name:"CERT", value:"180868");
     script_xref(name:"CERT", value:"950516");
     script_xref(name:"EDB-ID", value:"1341");
     script_xref(name:"MSKB", value:"902400");
    
     script_name(english:"MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)");
     script_summary(english:"Determines the presence of update 902400");
    
     script_set_attribute(attribute:"synopsis", value:"A vulnerability in MSDTC and COM+ could allow remote code execution.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows contains a version of MSDTC and COM+ that
    is affected by several remote code execution, local privilege escalation
    and denial of service vulnerabilities.
    
    An attacker may exploit these flaws to obtain the complete control of
    the remote host.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-051");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP and
    2003.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/11");
     script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS05-051';
    kb = '902400';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.2", sp:0, file:"ole32.dll", version:"5.2.3790.374", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.2", sp:1, file:"ole32.dll", version:"5.2.3790.2492", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:1, file:"ole32.dll", version:"5.1.2600.1720", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"ole32.dll", version:"5.1.2600.2726", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.0",       file:"ole32.dll", version:"5.0.2195.7059", dir:"\system32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    

Oval

  • accepted2011-05-16T04:00:23.267-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1136
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleDistributed TIP Request Validation Process Permits Denial of Service (Server 2003,SP1)
    version69
  • accepted2011-05-16T04:00:28.691-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1182
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleDistributed TIP Request Validation Process Permits Denial of Service (XP,SP2)
    version70
  • accepted2011-05-16T04:00:31.953-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1203
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleDistributed TIP Request Validation Process Permits Denial of Service (WinXP,SP1)
    version69
  • accepted2011-05-16T04:00:41.434-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1253
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleDistributed TIP Request Validation Process Permits Denial of Service (Win2k,SP4)
    version68
  • accepted2011-05-16T04:00:51.603-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1325
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleDistributed TIP Request Validation Process Permits Denial of Service (64-bit XP,SP1)
    version69
  • accepted2011-05-16T04:00:56.274-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionDistributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1413
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titleDistributed TIP Request Validation Process Permits Denial of Service (Server 2003)
    version69