Microsoft Distributed Transaction Coordinator$B%a%b%jJQ99@H(B$B<e@-(B

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft Distributed Transaction Coordinator$B%a%b%jJQ99@H(B$B

To: bugtraq-jp@xxxxxxxxxxxxxxxxx
Subject: Microsoft Distributed Transaction Coordinator$B%a%b%jJQ99@H(B$B
From: Akiko Takahashi <takahashi.akiko@xxxxxxxxx>
Date: Wed, 12 Oct 2005 22:23:35 +0900

Microsoft Distributed Transaction Coordinator$B%a%b%jJQ99@Hhttp://www.eeye.com/html/research/advisories/AD20051011b.html
(B
$B%j%j!<%9F|(B:
(BOctober 11, 2005
(B
$BJs9pF|(B: 
(BJuly 8, 2005
(B
$B%Q%C%A3+H/4|4V(B: 95$BF|(B
(B
$B%j%9%/%l%Y%k(B: 
$B9b(B ($B%j%b!<%H%3!<%I]%7%9%F%`(B:
(BWindows 2000 Server SP0 - SP4
(B     - $B%G%U%)%k%H$G%j%b!<%H(Bexploit$B2DG=(B
(BWindows XP SP0 - SP1
(B     - $B%G%U%)%k%H$G$O%m!<%+%k(Bexploit$B$N$_(B
(B     - $B%5!<%S%93+;O$K$h$j%j%b!<%H(Bexploit$B2DG=(B
(BWindows 2003 Server SP0
(B     - $B%G%U%)%k%H$G$O%m!<%+%k(Bexploit$B$N$_(B
(B     - $B%M%C%H%o!<%/(BDTC$B%"%/%;%9$,M-8z$K$J$C$F$$$k$H!"%j%b!<%H(Bexploit$B2DG=(B
(B
(BeEye ID#:  EEYEB20050915
(BOSVDB ID#: 2692
(BCVE #:  CAN-2005-2127
(B
$B35MW(B:
(BeEye Digital Security$B$O!"(BMicrosoft Distributed Transaction Coordinator
(B(MSDTC)$B%5!<%S%9$K!"F?L>$N967b\:Y>pJs(B:
(BDistributed Transaction Coordinator$B%$%s%?!<%U%'!<%9(Bproxy (MSDTCRPX.DLL)
$B$O(B{906B0CE0-C70B-1067-B317-00DD010662DA} v1.0$B$N%j%/%(%9%H$r=hM}$9$k(BRPC$B%5!<(B
$B%P$H$7$F5!G=$7$^$9!#(BMIDL_user_allocate$B4X?t$O!"MW5a$5$l$k%a%b%j%5%$%:$K4X(B
$B$o$i$:(BVirtualAlloc$B$K$F(B1$B%a%b%j%Z!<%8(B(4KB)$B$r3d$jEv$F$k$H$$$&FC0[$JF0:n$r$7(B
$B$^$9!#$=$N7k2L!"%a%b%j3d$jEv$F$OI,$:@.8y$7!"(B4KB$B%V%m%C%/$X$N%]%$%s%?$,JV(B
$B$5$l$^$9!#(BBuildContextW (opnum 7) RPC$B4X?t$O8F$S=P$7B&$G%5%$%:$r;XDj$7$^(B
$B$9$,!"$=$N%5%$%:$bL5;k$5$l$^$9!#(B
(B
(BVirtualAlloc$B$K$h$C$F%a%b%j$,3d$jEv$F$i$l$k0Y!"DL>o$ONY@\$9$k%G!<%?$K>e=q(B
$B$-2DG=$J$b$N$OB8:_$7$^$;$s$,!"(BRPC$B%i%s%?%$%`%i%$%V%i%j$=$N$b$N$K!"(B
(BMSDTCPRX$B$NFC0[$J%a%b%j3d$jEv$F%k!<%A%s$K$h$j(Bexploit$B2DG=$H$J$k%3!<%I$,4^(B
$B$^$l$^$9!#2<5-$N(Bdisassembly$B$GNc>Z$5$l$F$$$k$h$&$K!"(BRPCRT4.DLL$B$N(B
(BNdrAllocate$B4X?t$O!"FCDj$N4IM}%G!<%?$r3d$jEv$F$i$l$?%a%b%j%V%m%C%/$N8e$K(B
$B3JG<$7$h$&$H$7$^$9!'(B
(B
(B; ESI = $B3d$jEv$F%5%$%:(B(8$B%P%$%HC10L(B)
(B; EBX = $B9g7W3d$jEv$F%5%$%:(B(alloc size + 0Ch)
(B; $B@0?t%*!<%P!<%U%m!<%A%'%C%/!#3d$jEv$F%5%$%:$O(B <= FFFFFFF0h $B$G$J$1$l$P$J$i$J$$!#(B
(B
(B786F828D    push    ebx                 ; EBX = $B9g7W3d$jEv$F%5%$%:(B
(B786F828E    call    dword ptr [edi+48h] ; MSDTCPRX.DLL!MIDL_user_allocate
(B786F8291    mov     ebx, eax
(B786F8293    test    ebx, ebx
(B786F8295    jz      78735490
(B786F829B    lea     eax, [esi+ebx]      ; ESI = $B3d$jEv$F%5%$%:(B
(B786F829E    lea     ecx, [edi+0B0h]
(B786F82A4    mov     dword ptr [eax], 4D454D4Ch  ; +00h "LMEM"$B%?%0(B
(B786F82AA    mov     [eax+4], ebx                ; +04h $B%V%m%C%/3+;O(B
(B786F82AD    mov     edx, [ecx]
(B786F82AF    mov     [eax+8], edx                ; +08h $BO"7k%j%9%H(B
(B786F82B2    mov     [ecx], eax          ; $B%j%s%/%j%9%H$KK\%V%m%C%/$rDI2C(B
(B
$B%f!<%6$K$h$C$FM?$($i$l$?3d$jEv$F%5%$%:$O!"%a%b%j3d$jEv$F4X?t$,@.8y$9$k;v(B
$B$K$h$j<+F0E*$KM-8z$HH=Dj$5$l$k0Y!"(BFFFFFFF0h$B$^$?$O$=$l0J2<$NG$0U$NCM$r(B
(BNdrAllocate$B$KEO$7!"7k2LE*$K$3$N(B12$B%P%$%H$N4IM}%G!<%?$r(BVirualAlloc$B$5$l$?%a(B
$B%b%jNN0h$N0LCV$KO"F0$7$?G$0U$N%"%I%l%9$K3JG<$9$k$3$H$,$G$-$^$9!#(B3$B$D$N(B
(BDWORD$B7?%U%#!<%k%I$N$&$A(B2$B$DL\$O$3$N%a%b%jNN0h$KBP$9$k%]%$%s%?$G$"$k$?$a!"(B
$BK\@HpJs(B:
(BRetina - Network Security Scanner
(BBlink - End-point Vulnerability Prevention
(B
$B%Y%s%@BP1~>u67(B:
(BMicrosoft$Bhttp://www.microsoft.com/japan/technet/security/bulletin/MS05-051.mspx
(B
$B%/%l%8%C%H(B:
$BH/8+=;R(B ($B=;>&>pJs%7%9%F%`3t<02qpJs(B:
(BRetina Network Security Scanner - $BF|K\8lHGI>2AHG(B
(B - https://sec.sse.co.jp/eeye/freedl.html
(BRetina MSDTC Scanner - $BK\@Hhttps://sec.sse.co.jp/eeye/freedl.html
(BRetina Network Security Scanner - $B1Q8lHGI>2AHG(B
(B - http://www.eeye.com/html/products/retina/download/index.html
(BBlink Endpoint Vulnerability Prevention - $B1Q8lHGI>2AHG(B
(B - http://www.eeye.com/html/products/blink/download/index.html
(B
(B
$BK\(BAdvisory$B$O!"=;>&>pJs%7%9%F%`3t<02qe$GK]Lu$7$F$*$j$^$9!#(B
(BSCS$B$OK\OBLu$,@53N$J>pJs$K$J$k$h$&EX$a$5$;$FD:$-$^$9!#$7$+$7$J$,$i!"@53N(B
$B@-!"40A4@-!"?.Mj@-!"0BA4@-Ey$K4X$7$F!"$$$+$J$k@UG$$bIi$o$J$$$3$H$HCW$7$^(B
$B$9!#(B
(B
(BCopyright (c) 1998-2005 eEye Digital Security
(BPermission is hereby granted for the redistribution of this alert
(Belectronically. It is not to be edited in any way without express
(Bconsent of eEye.  If you wish to reprint the whole or any part of this
(Balert in any other medium excluding electronic medium, please email
(Balert@xxxxxxxx for permission.
(B
(BDisclaimer
(BThe information within this paper may change without notice. Use of this
(Binformation constitutes acceptance for use in an AS IS condition.  There
(Bare no warranties, implied or express, with regard to this information.
(BIn no event shall the author be liable for any direct or indirect
(Bdamages whatsoever arising out of or in connection with the use or
(Bspread of this information.  Any use of this information is at the
(Buser's own risk.
(B
(B
(B
(B----------------------------------------
(B  $B9b66(B $B>=;R(B <takahashi.akiko@xxxxxxxxx>
(B  $B=;>&>pJs%7%9%F%`3t<02qhttp://www.scs.co.jp

Prev by Date: MDT2DD.DLL COM$B%*%V%8%'%/%H=i4|2=$5(B$B$l$J$$%R!<%W%a%b%j@H

Next by Date: Microsoft DirectShow$B%j%b!<%H%3!<(B$B%I

Previous by thread: MDT2DD.DLL COM$B%*%V%8%'%/%H=i4|2=$5(B$B$l$J$$%R!<%W%a%b%j@H

Next by thread: Microsoft Distributed Transaction Coordinator$B%a%b%jJQ99@H(B$B

Index(es):
- Date
- Thread