[VulnWatch] KPMG-2002015: Microsoft Distributed Transaction Coordinator DoS

From: Peter Gründl (pgrundl@kpmg.dk)
Date: Fri Apr 19 2002 - 06:47:36 EDT

• Next message: Berend-Jan Wever: "[VulnWatch] Fw: Local file detecting and installed software fingerprinting"
• Previous message: Peter Gründl: "[VulnWatch] KPMG-2002014: Foundstone Fscan Format String Bug"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

--------------------------------------------------------------------

Title: Microsoft Distributed Transaction Coordinator DoS

BUG-ID: 2002015
Released: 19th Apr 2002
--------------------------------------------------------------------

Problem:
========
A flaw in the way MSDTC handles malformed packets could allow an
attacker to hang the service and exhaust ressources on the Server.

Vulnerable:
===========
- Windows 2000 Server without MS02-018 patch

Details:
========
If an attacker sends 20200 null characters to the MSDTC service,
which listens on TCP port 3372, server ressources are allocated
poorly. This attack can result in MSDTC.EXE spiking at 100% cpu
usage, MSDTC refusing connections and kernel ressources being
exhausted.

This was already corrected in MS02-018, and has been brought up
on Bugtraq (after it was reported to the vendor),

http://online.securityfocus.com/archive/1/253360

The security bulletin from Microsoft, however, does not mention
this vulnerability.

Vendor URL:
===========
You can visit the vendors webpage here: http://www.microsoft.com

Vendor response:
================
The vendor was contacted on the 24th of October, 2001. On the 15th
of March, 2002 we received a private hotfix, which corrected the
issue. On the 10th of April, 2002 the vendor released a public
bulletin. On the 19th of April, 2002 the vendor notified us that
the patch also included the patched binary for the MSDTC issue.

Corrective action:
==================
The vendor has released a patched binary, which is included in
the security rollup package MS02-018, available here:
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp

Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

• Next message: Berend-Jan Wever: "[VulnWatch] Fw: Local file detecting and installed software fingerprinting"
• Previous message: Peter Gründl: "[VulnWatch] KPMG-2002014: Foundstone Fscan Format String Bug"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:21:35 EDT