Vulnerabilities > CVE-2005-0059 - Unspecified vulnerability in Microsoft products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 17 |
Exploit-Db
description Microsoft Message Queueing Service Path Overflow. CVE-2005-0059. Remote exploit for windows platform id EDB-ID:16747 last seen 2016-02-02 modified 2010-05-09 published 2010-05-09 reporter metasploit source https://www.exploit-db.com/download/16747/ title Microsoft Message Queueing Service Path Overflow description MS Windows Message Queuing BoF Universal Exploit (MS05-017) (v.0.3). CVE-2005-0059. Remote exploit for windows platform id EDB-ID:1075 last seen 2016-01-31 modified 2005-06-29 published 2005-06-29 reporter houseofdabus source https://www.exploit-db.com/download/1075/ title Microsoft Windows Message Queuing BoF Universal Exploit MS05-017 v.0.3
Metasploit
| description | This module exploits a stack buffer overflow in the RPC interface to the Microsoft Message Queueing service. The offset to the return address changes based on the length of the system hostname, so this must be provided via the 'HNAME' option. Much thanks to snort.org and Jean-Baptiste Marchand's excellent MSRPC website. |
| id | MSF:EXPLOIT/WINDOWS/DCERPC/MS05_017_MSMQ |
| last seen | 2020-01-16 |
| modified | 2017-07-24 |
| published | 2006-05-30 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0059 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/ms05_017_msmq.rb |
| title | MS05-017 Microsoft Message Queueing Service Path Overflow |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS05-017.NASL description The remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker could exploit this flaw to execute arbitrary code on the remote host with the SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 18021 published 2005-04-12 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18021 title MS05-017: Vulnerability in MSMQ Could Allow Code Execution (892944) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18021); script_version("1.37"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2005-0059"); script_bugtraq_id(13112); script_xref(name:"MSFT", value:"MS05-017"); script_xref(name:"EDB-ID", value:"16747"); script_xref(name:"EDB-ID", value:"1075"); script_xref(name:"MSKB", value:"892944"); script_name(english:"MS05-017: Vulnerability in MSMQ Could Allow Code Execution (892944)"); script_summary(english:"Determines if hotfix 892944 has been installed"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker could exploit this flaw to execute arbitrary code on the remote host with the SYSTEM privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-017"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS05-017 Microsoft Message Queueing Service Path Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl" , "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS05-017'; kb = '892944'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'3,4', xp:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.1", sp:1, file:"Mqqm.dll", version:"5.1.0.1044", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Mqqm.dll", version:"5.0.0.798", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id MSMQS_OVERFLOW.NASL description The remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 18027 published 2005-04-12 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18027 title MS05-017: Vulnerability in MSMQ Could Allow Code Execution (892944) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # # Windows XP SP1 can be identified remotely without harm, not Windows 2000 include("compat.inc"); if (description) { script_id(18027); script_version("1.30"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id("CVE-2005-0059"); script_bugtraq_id(13112); script_xref(name:"MSFT", value:"MS05-017"); script_xref(name:"MSKB", value:"892944"); script_name(english:"MS05-017: Vulnerability in MSMQ Could Allow Code Execution (892944) (uncredentialed check)"); script_summary(english:"Determines if hotfix 892944 has been installed"); script_set_attribute( attribute:"synopsis", value:"Arbitrary code can be executed on the remote host." ); script_set_attribute(attribute:"description", value: "The remote version of Windows is affected by a vulnerability in Microsoft Message Queuing Service (MSMQ). An attacker may exploit this flaw to execute arbitrary code on the remote host with SYSTEM privileges." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-017"); script_set_attribute( attribute:"solution", value:"Microsoft has released a set of patches for Windows ME, XP, and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS05-017 Microsoft Message Queueing Service Path Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(2103); exit(0); } # include ('smb_func.inc'); function dce_rpc_parse_response2 (data) { local_var resp, flag, len, alloc, tmp, dat; if (strlen (data) < 24) return NULL; flag = get_byte (blob:data, pos:3); len = get_word (blob:data, pos:8) - 24; alloc = get_dword (blob:data, pos:16); if (strlen (data) < (24 + len)) return NULL; return substr (data, 24, 24 + len - 1); } os = get_kb_item("Host/OS/smb"); if ( "Windows 5.1" >!< os ) exit (0); port = 2103; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp (port); if (!soc) exit (0); host_ip = get_host_ip(); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"fdb3a030-065f-11d1-bb9b-00a024ea5525", vers:1); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) || (ret != 0)) { close (soc); exit (0); } data = raw_string ( 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x12, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x54, 0x00, 0x43, 0x00, 0x50, 0x00, 0x3A, 0x00, 0x31, 0x00, 0x32, 0x00, 0x37, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x30, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x30, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x30, 0x00, 0x33, 0x00, 0x5C, 0x00, 0x50, 0x00, 0x52, 0x00, 0x49, 0x00, 0x56, 0x00, 0x41, 0x00, 0x54, 0x00, 0x45, 0x00, 0x24, 0x00, 0x5C, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x75, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x06, 0x01, 0x11, 0x1b, 0x1e, 0x0c, 0x09, 0x0d, 0x00, 0x08, 0x1b, 0x17, 0x05, 0x12, 0x07, 0x0f, 0x10, 0x0d, 0x1a, 0x11, 0x1a ); ret = dce_rpc_request (code:0x02, data:data); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); close (soc); resp = dce_rpc_parse_response2 (data:resp); if (strlen(resp) != 36) exit (0); # patched = 0xC00E0045 # not patched = 0xC00E0003 val = get_dword (blob:resp, pos:strlen(resp)-4); if (val == 0xC00E0003) security_hole(port);
Oval
accepted 2011-05-16T04:02:58.120-04:00 class vulnerability contributors name Ingrid Skoog organization The MITRE Corporation name John Hoyland organization Centennial Software name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message. family windows id oval:org.mitre.oval:def:4384 status accepted submitted 2005-05-02T12:00:00.000-04:00 title Windows XP Message Queuing Buffer Overflow version 69 accepted 2011-05-16T04:03:08.282-04:00 class vulnerability contributors name Ingrid Skoog organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message. family windows id oval:org.mitre.oval:def:4988 status accepted submitted 2005-05-02T12:00:00.000-04:00 title Windows 2000 Message Queuing Buffer Overflow version 69
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82964/ms05_017_msmq.rb.txt |
| id | PACKETSTORM:82964 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/82964/Microsoft-Message-Queueing-Service-Path-Overflow.html |
| title | Microsoft Message Queueing Service Path Overflow |
Saint
| bid | 13112 |
| description | Microsoft Message Queuing buffer overflow |
| id | win_patch_msmq |
| osvdb | 15458 |
| title | windows_message_queuing |
| type | remote |
Seebug
| bulletinFamily | exploit |
| description | <p>漏洞描述:</p><p>Microsoft消息队列技术允许不同时间运行的应用程序可以跨不同网络或跨临时离线的系统进行通讯。Microsoft消息队列的实现上存在远程代码执行漏洞,远程攻击者可能利用此漏洞控制系统。 漏洞起因是消息队列组件中未经检查的缓冲区。成功利用这个漏洞的攻击者可以完全控制受影响的系统,然后攻击者就可以安装程序,浏览,更改或删除数据,或创建拥有完全权限的新帐号。</p><p>漏洞影响:</p><p>Microsoft Windows XP Tablet PC Edition SP1 </p><p>Microsoft Windows XP Tablet PC Edition </p><p> Microsoft Windows XP Professional SP1 </p><p>Microsoft Windows XP Professional </p><p> Microsoft Windows XP Media Center Edition SP1 </p><p>Microsoft Windows XP Media Center Edition </p><p>Microsoft Windows XP Home SP1 </p><p>Microsoft Windows XP Home </p><p>Microsoft Windows XP Embedded SP1 </p><p>Microsoft Windows XP Embedded</p><p> Microsoft Windows XP 64-bit Edition Version 2003 SP1</p><p> Microsoft Windows XP 64-bit Edition Version 2003 </p><p>Microsoft Windows XP 64-bit Edition SP1 </p><p>Microsoft Windows XP 64-bit Edition </p><p>Microsoft Windows 98SE </p><p>Microsoft Windows 98 SP1 </p><p>Microsoft Windows 98 j </p><p>Microsoft Windows 98 b </p><p>Microsoft Windows 98 a </p><p>Microsoft Windows 98</p><p> Microsoft Windows 2000 Server SP4 </p><p>Microsoft Windows 2000 Server SP3 </p><p>Microsoft Windows 2000 Server SP2 </p><p>Microsoft Windows 2000 Server SP1 </p><p>Microsoft Windows 2000 Server </p><p>+ Avaya DefinityOne Media Servers </p><p>+ Avaya IP600 Media Servers </p><p>+ Avaya S3400 Message Application Server 0 </p><p>+ Avaya S8100 Media Servers 0 </p><p>Microsoft Windows 2000 Professional SP4 </p><p>Microsoft Windows 2000 Professional SP3 </p><p>Microsoft Windows 2000 Professional SP2 </p><p>Microsoft Windows 2000 Professional SP1 </p><p>Microsoft Windows 2000 Professional </p><p> Microsoft Windows 2000 Datacenter Server SP4 </p><p>Microsoft Windows 2000 Datacenter Server SP3 </p><p>Microsoft Windows 2000 Datacenter Server SP2 </p><p>Microsoft Windows 2000 Datacenter Server SP1 </p><p>Microsoft Windows 2000 Datacenter Server </p><p> Microsoft Windows 2000 Advanced Server SP4 </p><p>Microsoft Windows 2000 Advanced Server SP3 </p><p>Microsoft Windows 2000 Advanced Server SP2 </p><p>Microsoft Windows 2000 Advanced Server SP1 </p><p>Microsoft Windows 2000 Advanced Server </p><p>CVE-ID:CVE-2005-0059 </p><p>CNNVD-ID:CNNVD-200505-470</p><p>CNVD-ID:CNVD-2005-0868 </p><p>解决方案:</p><p>Microsoft </p><p>--------- </p><p>Microsoft已经为此发布了一个安全公告(MS05-017)以及相应补丁:</p><p>MS05-017:Vulnerability in Message Queuing Could Allow Code Execution (892944)链接:<a href="http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx">http://www.microsoft.com/technet/security/Bulletin/MS05-017.mspx</a></p><p>补丁下载:</p><p>Microsoft Windows 2000 Service Pack 3和Microsoft Windows 2000 Service Pack 4 ?C <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=99A8EE12-4BD6-43F5-A43F-124E0E2C2283">http://www.microsoft.com/downloads/details.aspx?FamilyId=99A8EE12-4BD6-43F5-A43F-124E0E2C2283</a> </p><p>Microsoft Windows XP Service Pack 1 ?C </p><p><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=D72B7198-93A8-4652-B505-8E51FC5EEAC3">http://www.microsoft.com/downloads/details.aspx?FamilyId=D72B7198-93A8-4652-B505-8E51FC5EEAC3</a> </p><p>Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) - <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=9124BA48-73A8-4C94-AA46-CE9A9D1E1198">http://www.microsoft.com/downloads/details.aspx?FamilyId=9124BA48-73A8-4C94-AA46-CE9A9D1E1198</a></p> |
| id | SSV:13663 |
| last seen | 2017-11-19 |
| modified | 2005-06-29 |
| published | 2005-06-29 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-13663 |
| title | MS Windows Message Queuing BoF Universal Exploit (MS05-017) (v.0.3) |