The vulnerable system is bound to a protocol stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared proximity (e.g., Bluetooth, NFC, or IEEE 802.11) or logical network (e.g., local IP subnet), or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN within an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Microsoft Distributed Transaction Coordinator Heap Overflow
http://www.eeye.com/html/research/advisories/AD20060509a.html
Release Date:
May 9, 2006
Date Reported:
October 11, 2005
Patch Development Time (In Days):
210
Severity:
High (Remote Code Execution)
Systems Affected:
Windows NT 4.0
Windows 2000 SP2 and SP3
Overview:
eEye Digital Security has discovered a second vulnerability in the
Microsoft Distributed Transaction Coordinator that could allow an
attacker to take complete control over a vulnerable system to which he
has network or local access. The vulnerable MSDTC component is an RPC
server which is network accessible by default on Windows NT 4.0 Server
and Windows 2000 Server systems, over a dynamic high TCP port.
This vulnerability is separate from the "Microsoft Distributed
Transaction Coordinator Memory Modification Vulnerability" issue we
published in October 2005, most significantly in that this second
vulnerability affects NT 4.0 whereas the previous one did not. The patch
released with Microsoft Security Bulletin MS05-051 resolved both
vulnerabilities, although this patch was not previously released for NT
4.0 or Windows 2000 SP2 or SP3. Windows 2000 SP4 and Windows XP systems
without the MS05-051 hotfix installed are affected as well; Windows
Server 2003 systems are immune.
Technical Details:
MSDTCPRX.DLL functions as an RPC server inside the MSDTC.EXE process,
with a dynamic TCP port as its RPC endpoint and
{906B0CE0-C70B-1067-B317-00DD010662DA} v1.0 as the sole interface it
provides. The function CRpcIoManagerServer::BuildContext, as called from
BuildContextW (opnum 7) on Windows 2000 and Windows XP, and BuildContext
(opnum 1) on Windows NT 4.0, contains a heap overflow vulnerability due
to a lack of input validation. Specifically, it attempts to overwrite
its "pszGuidOut" argument, which corresponds to the fifth string
argument passed into BuildContext / BuildContextW, with a null GUID
string. Because the length of the destination string is not checked
prior to the string copy, the heap block containing the RPC stub data
can be overflowed, potentially corrupting the adjacent heap block.
The vulnerable copy operation is an intrinsic "strcpy(arg_10,
pszNULL_GUID)" on NT 4.0, and a "wcscpy(arg_28, pwszNULL_GUID)" call on
Windows 2000. Although the overwrite data itself is not controllable,
the amount of spillover is, and therefore a carefully engineered
overwrite is able to mutilate the adjacent heap block in an exploitable
way.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability. Blink - Endpoint Vulnerability Prevention - preemptively
protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability, but it is only
available to customers who have entered into a custom support agreement
with Microsoft. For more information, please visit:
http://www.microsoft.com/ntserver/ProductInfo/Availability/faq.asp#8
Credit:
Derek Soeder
Greetings:
The folks who attended eEye Coast to Coast. Adams Morgan, Georgetown,
and the Capital Grille. The ASCII slide, the BV, and RITD. Mudge, Gene
and Josh, JB, RC, and the Snub. Snow. The exploding pink ball of oozing
doom.
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert (at) eEye (dot) com [email concealed] for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum