Vulnerabilities > CVE-2005-0551 - Unspecified vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
exploit available

Summary

Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.

Vulnerable Configurations

Part Description Count
OS
Microsoft
4

Exploit-Db

descriptionMS Windows CSRSS Local Privilege Escalation Exploit (MS05-018). CVE-2005-0551. Local exploit for windows platform
idEDB-ID:1198
last seen2016-01-31
modified2005-09-06
published2005-09-06
reportereyas
sourcehttps://www.exploit-db.com/download/1198/
titleMicrosoft Windows - CSRSS Local Privilege Escalation Exploit MS05-018

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS05-018.NASL
descriptionThe remote host contains a version of the Windows kernel that is vulnerable to a security flaw that could allow a local user to elevate his privileges or to crash the remote host (therefore causing a denial of service).
last seen2020-06-01
modified2020-06-02
plugin id18022
published2005-04-12
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18022
titleMS05-018: Vulnerabilities in Windows Kernel (890859)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(18022);
 script_version("1.40");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id(
   "CVE-2005-0060",
   "CVE-2005-0061",
   "CVE-2005-0550",
   "CVE-2005-0551"
 );
 script_bugtraq_id(13109, 13110, 13115, 13121);
 script_xref(name:"MSFT", value:"MS05-018");
 script_xref(name:"EDB-ID", value:"1198");
 script_xref(name:"MSKB", value:"890859");

 script_name(english:"MS05-018: Vulnerabilities in Windows Kernel (890859)");
 script_summary(english:"Checks the remote registry for 890859");

 script_set_attribute(attribute:"synopsis", value:
"A local user can elevate his privileges on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Windows kernel that is
vulnerable to a security flaw that could allow a local user to elevate
his privileges or to crash the remote host (therefore causing a denial
of service).");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-018");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/04/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/04/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-018';
kb = '890859';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Authz.dll", version:"5.2.3790.274", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Authz.dll", version:"5.1.2600.1634", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Authz.dll", version:"5.1.2600.2622", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Authz.dll", version:"5.0.2195.7028", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2005-06-22T12:38:00.000-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    descriptionStack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.
    familywindows
    idoval:org.mitre.oval:def:1822
    statusaccepted
    submitted2005-05-02T12:00:00.000-04:00
    titleServer 2003 CSRSS Privilege Escalation Vulnerability
    version64
  • accepted2011-05-16T04:02:34.778-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionStack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.
    familywindows
    idoval:org.mitre.oval:def:266
    statusaccepted
    submitted2005-05-02T12:00:00.000-04:00
    titleWindows XP (SP2) CSRSS Privilege Escalation Vulnerability
    version69
  • accepted2011-05-16T04:02:49.708-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionStack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.
    familywindows
    idoval:org.mitre.oval:def:3544
    statusaccepted
    submitted2005-05-02T12:00:00.000-04:00
    titleWindows XP CSRSS Privilege Escalation Vulnerability
    version70
  • accepted2011-05-16T04:03:26.716-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionStack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.
    familywindows
    idoval:org.mitre.oval:def:777
    statusaccepted
    submitted2005-05-02T12:00:00.000-04:00
    titleWindows 2000 CSRSS Privilege Escalation Vulnerability
    version69