Vulnerabilities > CVE-2005-0048 - Unspecified vulnerability in Microsoft Windows 2000 and Windows XP

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available

Summary

Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
15

Exploit-Db

  • descriptionMS Windows Malformed IP Options DoS Exploit (MS05-019). CVE-2004-0230,CVE-2004-0790,CVE-2004-1060,CVE-2005-0048,CVE-2005-0688. Dos exploit for windows platform
    idEDB-ID:942
    last seen2016-01-31
    modified2005-04-17
    published2005-04-17
    reporterYuri Gushin
    sourcehttps://www.exploit-db.com/download/942/
    titleMicrosoft Windows - Malformed IP Options DoS Exploit MS05-019
  • descriptionMicrosoft Windows 2000/XP Internet Protocol Validation Remote Code Execution Vulnerability (1). CVE-2005-0048. Dos exploit for windows platform
    idEDB-ID:25383
    last seen2016-02-03
    modified2005-04-12
    published2005-04-12
    reporterSong Liu
    sourcehttps://www.exploit-db.com/download/25383/
    titleMicrosoft Windows 2000/XP Internet Protocol Validation Remote Code Execution Vulnerability 1

Nessus

  • NASL familyWindows
    NASL idSMB_KB893066.NASL
    descriptionThe remote host runs a version of Windows that has a flaw in its TCP/IP stack. The flaw may allow an attacker to execute arbitrary code with SYSTEM privileges on the remote host or to perform a denial of service attack against the remote host. Proof of concept code is available to perform a denial of service attack against a vulnerable system.
    last seen2020-06-01
    modified2020-06-02
    plugin id18028
    published2005-04-12
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18028
    titleMS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(18028);
     script_version("1.37");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2005-0048", "CVE-2004-0790", "CVE-2004-1060", "CVE-2004-0230", "CVE-2005-0688");
     script_bugtraq_id(13124, 13116);
     script_xref(name:"MSFT", value:"MS05-019");
     script_xref(name:"MSKB", value:"893066");
    
     script_name(english:"MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066) (uncredentialed check)");
     script_summary(english:"Checks for hotfix KB893066");
    
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host due to a flaw in the
    TCP/IP stack.");
     script_set_attribute(attribute:"description", value:
    "The remote host runs a version of Windows that has a flaw in its
    TCP/IP stack.
    
    The flaw may allow an attacker to execute arbitrary code with SYSTEM
    privileges on the remote host or to perform a denial of service attack
    against the remote host.
    
    Proof of concept code is available to perform a denial of service
    attack against a vulnerable system.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-019");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000, XP and 2003.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/20");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("tcp_seq_window.nasl", "os_fingerprint.nasl");
     script_require_keys("TCP/seq_window_flaw", "Host/OS", "Settings/ParanoidReport");
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    os = get_kb_item_or_exit("Host/OS") ;
    
    conf = get_kb_item_or_exit("Host/OS/Confidence");
    if (conf <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
    
    if ("Windows" >!< os) exit(0, "The host is not running Windows.");
    if ("Windows 4.0" >< os) exit(0, "Windows NT is not reported to be affected.");
    if ("Windows Server 2003 Service Pack" >< os) exit(0, "Windows 2003 SP1 and later are not reported to be affected.");
    
    if (ereg(pattern:"Windows (95|98|ME|XP|Server 2003)", string:os))
    {
      if (get_kb_item("TCP/seq_window_flaw"))
      {
       security_hole(port:get_kb_item("SMB/transport"));
       exit(0);
      }
      else exit(0, "The host is not affected.");
    }
    else exit(0, "The host is not running one of the versions of Windows reportedly affected.");
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS05-019.NASL
    descriptionThe remote host runs a version of Windows that has a flaw in its TCP/IP stack. The flaw could allow an attacker to execute arbitrary code with SYSTEM privileges on the remote host, or to perform a denial of service attack against the remote host. Proof of concept code is available to perform a Denial of Service against a vulnerable system.
    last seen2020-06-01
    modified2020-06-02
    plugin id18023
    published2005-04-12
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18023
    titleMS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(18023);
     script_version("1.43");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id(
      "CVE-2004-0230",
      "CVE-2004-0790",
      "CVE-2004-1060",
      "CVE-2005-0048",
      "CVE-2005-0065",
      "CVE-2005-0066",
      "CVE-2005-0067",
      "CVE-2005-0068",
      "CVE-2005-0688"
     );
     script_bugtraq_id(13116, 13124, 13658);
     script_xref(name:"MSFT", value:"MS05-019");
     script_xref(name:"CERT", value:"222750");
     script_xref(name:"CERT", value:"233754");
     script_xref(name:"CERT", value:"396645");
     script_xref(name:"CERT", value:"415294");
     script_xref(name:"EDB-ID", value:"276");
     script_xref(name:"EDB-ID", value:"291");
     script_xref(name:"EDB-ID", value:"861");
     script_xref(name:"EDB-ID", value:"948");
     script_xref(name:"EDB-ID", value:"24030");
     script_xref(name:"EDB-ID", value:"24031");
     script_xref(name:"EDB-ID", value:"24032");
     script_xref(name:"EDB-ID", value:"24033");
     script_xref(name:"EDB-ID", value:"25383");
     script_xref(name:"EDB-ID", value:"25388");
     script_xref(name:"EDB-ID", value:"25389");
     script_xref(name:"MSKB", value:"893066");
    
     script_name(english:"MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066)");
     script_summary(english:"Checks the remote registry for 893066");
    
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host due to a flaw in the
    TCP/IP stack.");
     script_set_attribute(attribute:"description", value:
    "The remote host runs a version of Windows that has a flaw in its TCP/IP
    stack.
    
    The flaw could allow an attacker to execute arbitrary code with SYSTEM
    privileges on the remote host, or to perform a denial of service attack
    against the remote host.
    
    Proof of concept code is available to perform a Denial of Service
    against a vulnerable system.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-019");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows 2000, XP and
    2003.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/05");
     script_set_attribute(attribute:"patch_publication_date", value:"2005/04/12");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS05-019';
    kb = '893066';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.2", sp:0, file:"Tcpip.sys", version:"5.2.3790.336", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:1, file:"Tcpip.sys", version:"5.1.2600.1693", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"Tcpip.sys", version:"5.1.2600.2685", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.0", file:"Tcpip.sys", version:"5.0.2195.7049", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    

Oval

  • accepted2011-05-16T04:01:43.341-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameBrendan Miles
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:1744
    statusaccepted
    submitted2005-08-18T04:00:00.000-04:00
    titleWinXP IP Validation Vulnerability
    version42
  • accepted2011-05-16T04:02:54.172-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:3824
    statusaccepted
    submitted2005-04-22T12:00:00.000-04:00
    titleWin2k IP Validation Vulnerability
    version39
  • accepted2013-09-02T04:05:45.969-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameDragos Prisaca
      organizationG2, Inc.
    descriptionMicrosoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."
    familywindows
    idoval:org.mitre.oval:def:4549
    statusaccepted
    submitted2005-08-18T04:00:00.000-04:00
    titleServer 2003 IP Validation Vulnerability
    version41