CVE-2005-2119

An attacker can exploit this vulnerability remotely or locally by sending a crafted RPC request to the MSDTC service. The MIDL_user_allocate function in MSDTCPRX.DLL allocates a fixed 4K page regardless of the required size, but the caller provides an incorrect size value to NdrAllocate, which then writes management data beyond the bounds of the allocated buffer [ref_id=1]. On Windows Server 2003, the MSDTC service is started by default but requires Network DTC Access to be enabled for remote anonymous exploitation; on Windows XP SP1 and Windows 2000, a local user can start the service, after which remote anonymous attacks become possible [ref_id=1]. Firewall best practices blocking port 3372 (TIP) and related RPC endpoints can mitigate network-based attacks [ref_id=1].

The vulnerability resides in the MIDL_user_allocate function within MSDTCPRX.DLL, the Microsoft Distributed Transaction Coordinator (MSDTC) proxy DLL [ref_id=1]. The advisory does not specify exact source file paths or line numbers.

The security update corrects the memory allocation logic in MSDTCPRX.DLL so that MIDL_user_allocate honors the actual requested size instead of always allocating a fixed 4K page, and ensures the size value passed to NdrAllocate is accurate [ref_id=1]. Additionally, the update disables the TIP protocol by default on Windows 2000 and introduces several registry keys to restrict TIP command validation, reducing the attack surface for related vulnerabilities [ref_id=1]. No patch diff is available in the bundle; the advisory is the sole source for remediation details.