Re: Is MS06-018 a DoS or a system compromise ?

["Nick Boyce" <nick.boyce@xxxxxxxxx>]

On 5/15/06, Hayes, Bill <Bill.Hayes@xxxxxxx> wrote:

> The CVE-2006-1184 flaw will cause DoS conditions.
> The CVE-2006-0034 vulnerability will cause DoS conditions
> and is exploitable on older systems. See eEye Digital Security
> advisory AD20060509a, "Microsoft Distributed Transaction
> Coordinator Heap Overflow".
[...]
> References:
>
> http://secunia.com/advisories/20000/
> http://www.frsirt.com/english/advisories/2006/1742
> http://www.eeye.com/html/research/advisories/AD20060509a.html
> http://www.eeye.com/html/research/advisories/AD20060509b.html
> CVE-2006-0034 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0034
> CVE-2006-1184 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1184

Thanks for this useful clarification.  After reading through all the
docs you link, I've come up with a table of patch relevance that I
_think_ covers it :

[fixed width font required ...]

             | CVE-2006-0034                | CVE-2006-1184
--------------+------------------------------+--------------------
WinNT         | system compromise, no patch  | DoS, no patch
Win2K/SP2,SP3 | system compromise, no patch  | DoS, no patch
Win2K/SP4     | DoS, MS05-051 fixes [1]      | DoS, MS06-018 fixes
WinXP/SP1     | DoS, MS05-051 fixes [1]      | DoS, MS06-018 fixes
WinXP/SP2     | immune                       | DoS, MS06-018 fixes
Win2003       |  [2]                         | DoS, MS06-018 fixes

[1] MS05-051 is now replaced by MS06-018
[2] eEye says Win2003 immune / MS says fixed by MS06-018 ???

If that's right, then for the Windows versions still in support the
vulnerabilities are all DoS, so the Microsoft patch download page
severity statements are wrong (typos ?), albeit that non-public
patches are available via special support channels which _do_ fix
system compromise problems for NT and Win2K SP3/4.

Matt Carpenter wrote :

> Slightly aside, how many attacks classified as DoS are not truly
> exploitable for arbitrary code in the right hands?

Good question - hopefully not applicable here :-} .....
.... Except that Maxime Duchamp wrote :

> I have seen 2 servers last month which have been
> hacked .... There were servers which had port 3372
> accessible ..... I was not able to find any tool which
> was used to hack the server on this port, but I think
> DTC was the culprit.

Well that's disquieting.  I have no info to add here myself - but
noticing the silence in this thread from the major players, I wonder
whether more "research" is going on as we speak.

Thanks to all.
Nick Boyce
--
/* affect != effect */ void affect(int *thing,int effect) { *thing += effect; }