Microsoft Distributed Transaction Coordinator (MSDTC) Service Can Be Crashed By Remote Users
|
Date: Feb 1 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Description: A denial of service vulnerability was reported in Microsoft's Distributed Transaction Coordinator (MSDTC) service. A remote user may be able to cause the service to crash.
It is reported that a remote user can send 1024 bytes of random data to the MSDTC service (on TCP port 3372) to cause the service
to crash in some cases. This was tested by generating 1024 bytes of random data (from /dev/urandom on a *nix host) and sending
it via the netcat utility to the port.
The author reports that on some servers, this method does not cause a crash.
|
Impact: A remote user may be able to cause the MSDTC service to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/com/tech/mts.asp (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: Windows (2000)
|
Underlying OS Comments: Tested on Windows 2000 SP2
|
Reported By: palante@subterrain.net
|
Message History:
None.
|
Source Message Contents
|
Date: 31 Jan 2002 03:14:48 -0000
From: palante@subterrain.net
Subject: msdtc on 3372
|
I've been examining the Microsoft Distributed Transaction Coordinator
(MSDTC) service that runs on tcp port 3372, in these cases on win2k SP2.
Nothing happens with casual garbage data (e.g. 0x51) manually sent, but
I've also been sending 1024 bytes of random data (from /dev/urandom)
through nc to the port. On some systems msdtc dies immediately. On
those systems where it fails to crash, additional connections or larger
data sizes (there appears to be a size limit anyway) do not cause a crash.
Unfortunately my sample size is rather small; the trouble with experimenting
on real subjects is finding replacements. Has anyone else experienced this
behavior?
Palante
|
|
