Vulnerabilities > CVE-2005-0059 - Unspecified vulnerability in Microsoft products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
exploit available
metasploit

Summary

Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.

Vulnerable Configurations

Part Description Count
OS
Microsoft
17

Exploit-Db

  • descriptionMicrosoft Message Queueing Service Path Overflow. CVE-2005-0059. Remote exploit for windows platform
    idEDB-ID:16747
    last seen2016-02-02
    modified2010-05-09
    published2010-05-09
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16747/
    titleMicrosoft Message Queueing Service Path Overflow
  • descriptionMS Windows Message Queuing BoF Universal Exploit (MS05-017) (v.0.3). CVE-2005-0059. Remote exploit for windows platform
    idEDB-ID:1075
    last seen2016-01-31
    modified2005-06-29
    published2005-06-29
    reporterhouseofdabus
    sourcehttps://www.exploit-db.com/download/1075/
    titleMicrosoft Windows Message Queuing BoF Universal Exploit MS05-017 v.0.3

Metasploit

descriptionThis module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website.
idMSF:EXPLOIT/WINDOWS/DCERPC/MS05_017_MSMQ
last seen2020-01-16
modified2017-07-24
published2006-05-30
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0059
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/ms05_017_msmq.rb
titleMS05-017 Microsoft Message Queueing Service Path Overflow

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS05-017.NASL
    descriptionThe remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker could exploit this flaw to execute arbitrary code on the remote host with the SYSTEM privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id18021
    published2005-04-12
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18021
    titleMS05-017: Vulnerability in MSMQ Could Allow Code Execution (892944)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(18021);
     script_version("1.37");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id("CVE-2005-0059");
     script_bugtraq_id(13112);
     script_xref(name:"MSFT", value:"MS05-017");
     script_xref(name:"EDB-ID", value:"16747");
     script_xref(name:"EDB-ID", value:"1075");
     script_xref(name:"MSKB", value:"892944");
    
     script_name(english:"MS05-017: Vulnerability in MSMQ Could Allow Code Execution (892944)");
     script_summary(english:"Determines if hotfix 892944 has been installed");
    
     script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows is affected by a vulnerability in
    Microsoft Message Queuing Service (MSMQ).
    
    An attacker could exploit this flaw to execute arbitrary code on the
    remote host with the SYSTEM privileges.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-017");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'MS05-017 Microsoft Message Queueing Service Path Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/12");
     script_set_attribute(attribute:"patch_publication_date", value:"2005/04/12");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl" , "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS05-017';
    kb = '892944';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'3,4', xp:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.1", sp:1, file:"Mqqm.dll", version:"5.1.0.1044", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.0", file:"Mqqm.dll", version:"5.0.0.798", dir:"\system32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idMSMQS_OVERFLOW.NASL
    descriptionThe remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with SYSTEM privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id18027
    published2005-04-12
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18027
    titleMS05-017: Vulnerability in MSMQ Could Allow Code Execution (892944) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # Windows XP SP1 can be identified remotely without harm, not Windows 2000
    
    include("compat.inc");
    
    if (description)
    {
     script_id(18027);
     script_version("1.30");
     script_cvs_date("Date: 2018/11/15 20:50:27");
    
     script_cve_id("CVE-2005-0059");
     script_bugtraq_id(13112);
     script_xref(name:"MSFT", value:"MS05-017");
     script_xref(name:"MSKB", value:"892944");
    
     script_name(english:"MS05-017: Vulnerability in MSMQ Could Allow Code Execution (892944) (uncredentialed check)");
     script_summary(english:"Determines if hotfix 892944 has been installed");
    
     script_set_attribute(
      attribute:"synopsis",
      value:"Arbitrary code can be executed on the remote host."
     );
     script_set_attribute(attribute:"description", value:
    "The remote version of Windows is affected by a vulnerability in
    Microsoft Message Queuing Service (MSMQ).
    
    An attacker may exploit this flaw to execute arbitrary code on the
    remote host with SYSTEM privileges." );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-017");
     script_set_attribute(
      attribute:"solution",
      value:"Microsoft has released a set of patches for Windows ME, XP, and 2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_set_attribute(attribute:"metasploit_name", value:'MS05-017 Microsoft Message Queueing Service Path Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
     script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/12");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
     script_dependencies("smb_nativelanman.nasl");
     script_require_keys("Host/OS/smb");
     script_require_ports(2103);
     exit(0);
    }
    
    #
    
    include ('smb_func.inc');
    
    function dce_rpc_parse_response2 (data)
    {
     local_var resp, flag, len, alloc, tmp, dat;
    
     if (strlen (data) < 24)
       return NULL;
    
     flag = get_byte (blob:data, pos:3);
     len = get_word (blob:data, pos:8) - 24;
     alloc = get_dword (blob:data, pos:16);
    
     if (strlen (data) < (24 + len))
       return NULL;
    
     return substr (data, 24, 24 + len - 1);
    }
    
    os = get_kb_item("Host/OS/smb");
    if ( "Windows 5.1" >!< os ) exit (0);
    
    port = 2103;
    if ( ! get_port_state(port) ) exit(0);
    soc = open_sock_tcp (port);
    if (!soc) exit (0);
    
    host_ip = get_host_ip();
    
    ret = dce_rpc_bind(cid:session_get_cid(), uuid:"fdb3a030-065f-11d1-bb9b-00a024ea5525", vers:1);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    if (!resp)
    {
     close (soc);
     exit (0);
    }
    
    ret = dce_rpc_parse_bind_ack (data:resp);
    if (isnull (ret) || (ret != 0))
    {
     close (soc);
     exit (0);
    }
    
    
    data = raw_string (
            0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x12, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00,
            0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x54, 0x00, 0x43, 0x00,
            0x50, 0x00, 0x3A, 0x00, 0x31, 0x00, 0x32, 0x00, 0x37, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x30, 0x00,
            0x2E, 0x00, 0x31, 0x00, 0x30, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x30, 0x00, 0x33, 0x00, 0x5C, 0x00,
            0x50, 0x00, 0x52, 0x00, 0x49, 0x00, 0x56, 0x00, 0x41, 0x00, 0x54, 0x00, 0x45, 0x00, 0x24, 0x00,
            0x5C, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x06, 0x01, 0x11, 0x1b, 0x1e,
            0x0c, 0x09, 0x0d, 0x00, 0x08, 0x1b, 0x17, 0x05, 0x12, 0x07, 0x0f, 0x10, 0x0d, 0x1a, 0x11, 0x1a
    );
    
    ret = dce_rpc_request (code:0x02, data:data);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    close (soc);
    
    resp = dce_rpc_parse_response2 (data:resp);
    if (strlen(resp) != 36)
      exit (0);
    
    # patched = 0xC00E0045
    # not patched = 0xC00E0003
    
    val = get_dword (blob:resp, pos:strlen(resp)-4);
    if (val == 0xC00E0003)
      security_hole(port);
    

Oval

  • accepted2011-05-16T04:02:58.120-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.
    familywindows
    idoval:org.mitre.oval:def:4384
    statusaccepted
    submitted2005-05-02T12:00:00.000-04:00
    titleWindows XP Message Queuing Buffer Overflow
    version69
  • accepted2011-05-16T04:03:08.282-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.
    familywindows
    idoval:org.mitre.oval:def:4988
    statusaccepted
    submitted2005-05-02T12:00:00.000-04:00
    titleWindows 2000 Message Queuing Buffer Overflow
    version69

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82964/ms05_017_msmq.rb.txt
idPACKETSTORM:82964
last seen2016-12-05
published2009-11-26
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/82964/Microsoft-Message-Queueing-Service-Path-Overflow.html
titleMicrosoft Message Queueing Service Path Overflow

Saint

bid13112
descriptionMicrosoft Message Queuing buffer overflow
idwin_patch_msmq
osvdb15458
titlewindows_message_queuing
typeremote

Seebug

bulletinFamilyexploit
description<p>漏洞描述:</p><p>Microsoft消息队列技术允许不同时间运行的应用程序可以跨不同网络或跨临时离线的系统进行通讯。Microsoft消息队列的实现上存在远程代码执行漏洞,远程攻击者可能利用此漏洞控制系统。 漏洞起因是消息队列组件中未经检查的缓冲区。成功利用这个漏洞的攻击者可以完全控制受影响的系统,然后攻击者就可以安装程序,浏览,更改或删除数据,或创建拥有完全权限的新帐号。</p><p>漏洞影响:</p><p>Microsoft Windows XP Tablet PC Edition SP1 </p><p>Microsoft Windows XP Tablet PC Edition </p><p>&nbsp;Microsoft Windows XP Professional SP1 </p><p>Microsoft Windows XP Professional </p><p>&nbsp;Microsoft Windows XP Media Center Edition SP1 </p><p>Microsoft Windows XP Media Center Edition </p><p>Microsoft Windows XP Home SP1 </p><p>Microsoft Windows XP Home </p><p>Microsoft Windows XP Embedded SP1 </p><p>Microsoft Windows XP Embedded</p><p>&nbsp;Microsoft Windows XP 64-bit Edition Version 2003 SP1</p><p>&nbsp;Microsoft Windows XP 64-bit Edition Version 2003 </p><p>Microsoft Windows XP 64-bit Edition SP1 </p><p>Microsoft Windows XP 64-bit Edition </p><p>Microsoft Windows 98SE </p><p>Microsoft Windows 98 SP1 </p><p>Microsoft Windows 98 j </p><p>Microsoft Windows 98 b </p><p>Microsoft Windows 98 a </p><p>Microsoft Windows 98</p><p>&nbsp;Microsoft Windows 2000 Server SP4 </p><p>Microsoft Windows 2000 Server SP3 </p><p>Microsoft Windows 2000 Server SP2 </p><p>Microsoft Windows 2000 Server SP1 </p><p>Microsoft Windows 2000 Server </p><p>+ Avaya DefinityOne Media Servers </p><p>+ Avaya IP600 Media Servers </p><p>+ Avaya S3400 Message Application Server 0 </p><p>+ Avaya S8100 Media Servers 0 </p><p>Microsoft Windows 2000 Professional SP4 </p><p>Microsoft Windows 2000 Professional SP3 </p><p>Microsoft Windows 2000 Professional SP2 </p><p>Microsoft Windows 2000 Professional SP1 </p><p>Microsoft Windows 2000 Professional </p><p>&nbsp;Microsoft Windows 2000 Datacenter Server SP4 </p><p>Microsoft Windows 2000 Datacenter Server SP3 </p><p>Microsoft Windows 2000 Datacenter Server SP2 </p><p>Microsoft Windows 2000 Datacenter Server SP1 </p><p>Microsoft Windows 2000 Datacenter Server </p><p>&nbsp;Microsoft Windows 2000 Advanced Server SP4 </p><p>Microsoft Windows 2000 Advanced Server SP3 </p><p>Microsoft Windows 2000 Advanced Server SP2 </p><p>Microsoft Windows 2000 Advanced Server SP1 </p><p>Microsoft Windows 2000 Advanced Server </p><p>CVE-ID:CVE-2005-0059 </p><p>CNNVD-ID:CNNVD-200505-470</p><p>CNVD-ID:CNVD-2005-0868 </p><p>解决方案:</p><p>Microsoft </p><p>--------- </p><p>Microsoft已经为此发布了一个安全公告(MS05-017)以及相应补丁:</p><p>MS05-017:Vulnerability in Message Queuing Could Allow Code Execution (892944)链接:<a href="http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx">http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx</a></p><p>补丁下载:</p><p>Microsoft Windows 2000 Service Pack 3和Microsoft Windows 2000 Service Pack 4 ?C <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=99A8EE12-4BD6-43F5-A43F-124E0E2C2283">http://www.microsoft.com/downloads/details.aspx?FamilyId=99A8EE12-4BD6-43F5-A43F-124E0E2C2283</a> </p><p>Microsoft Windows XP Service Pack 1 ?C </p><p><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=D72B7198-93A8-4652-B505-8E51FC5EEAC3">http://www.microsoft.com/downloads/details.aspx?FamilyId=D72B7198-93A8-4652-B505-8E51FC5EEAC3</a> </p><p>Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) - <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=9124BA48-73A8-4C94-AA46-CE9A9D1E1198">http://www.microsoft.com/downloads/details.aspx?FamilyId=9124BA48-73A8-4C94-AA46-CE9A9D1E1198</a></p>
idSSV:13663
last seen2017-11-19
modified2005-06-29
published2005-06-29
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-13663
titleMS Windows Message Queuing BoF Universal Exploit (MS05-017) (v.0.3)