Vulnerabilities > CVE-2005-1219 - Buffer Overflow vulnerability in Microsoft Windows Color Management Module ICC Profile

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
NVD
Published: 2005-07-12
Updated: 2018-10-12

Summary

Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Exploit-Db

  • descriptionMS Windows Color Management Module Overflow Exploit (MS05-036) (2). CVE-2005-1219. Remote exploit for windows platform
    idEDB-ID:1506
    last seen2016-01-31
    modified2006-02-17
    published2006-02-17
    reporterdarkeagle
    sourcehttps://www.exploit-db.com/download/1506/
    titleMicrosoft Windows - Color Management Module Overflow Exploit MS05-036 2
  • descriptionMS Windows Color Management Module Overflow Exploit (MS05-036). CVE-2005-1219. Dos exploit for windows platform
    idEDB-ID:1116
    last seen2016-01-31
    modified2005-07-21
    published2005-07-21
    reportersnooq
    sourcehttps://www.exploit-db.com/download/1116/
    titleMicrosoft Windows - Color Management Module Overflow Exploit MS05-036

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS05-036.NASL
descriptionThe remote host contains a version of the Color Management Module that is vulnerable to a security flaw that could allow an attacker to execute arbitrary code on the remote host by constructing a malicious web page and entice a victim to visit this web page.
last seen2020-06-01
modified2020-06-02
plugin id18681
published2005-07-12
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18681
titleMS05-036: Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214)
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(18681);
 script_version("1.40");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2005-1219");
 script_bugtraq_id(14214);
 script_xref(name:"MSFT", value:"MS05-036");
 script_xref(name:"CERT", value:"720742");
 script_xref(name:"EDB-ID", value:"1116");
 script_xref(name:"EDB-ID", value:"1506");
 script_xref(name:"MSKB", value:"901214");

 script_name(english:"MS05-036: Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214)");
 script_summary(english:"Determines the presence of update 901214");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the web
client.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Color Management Module that
is vulnerable to a security flaw that could allow an attacker to execute
arbitrary code on the remote host by constructing a malicious web page
and entice a victim to visit this web page.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-036");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/07/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-036';
kb = '901214';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Mscms.dll", version:"5.2.3790.359", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Mscms.dll", version:"5.2.3790.2476", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Mscms.dll", version:"5.1.2600.1710", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mscms.dll", version:"5.1.2600.2709", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Mscms.dll", version:"5.0.2195.7054", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2005-09-21T01:33:00.000-04:00
    classvulnerability
    contributors
    nameChristine Walzer
    organizationThe MITRE Corporation
    descriptionBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.
    familywindows
    idoval:org.mitre.oval:def:1125
    statusaccepted
    submitted2005-08-02T12:00:00.000-04:00
    titleServer 2003 Color Management Module Buffer Overflow
    version64
  • accepted2011-05-16T04:00:46.156-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.
    familywindows
    idoval:org.mitre.oval:def:1280
    statusaccepted
    submitted2005-08-02T12:00:00.000-04:00
    titleWindows 2000 Color Management Module Buffer Overflow
    version69
  • accepted2011-05-16T04:02:44.137-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.
    familywindows
    idoval:org.mitre.oval:def:330
    statusaccepted
    submitted2005-08-02T12:00:00.000-04:00
    titleWindows XP,SP2 Color Management Module Buffer Overflow
    version69
  • accepted2011-05-16T04:02:59.646-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.
    familywindows
    idoval:org.mitre.oval:def:440
    statusaccepted
    submitted2005-08-02T12:00:00.000-04:00
    titleWindows XP,SP1 Color Management Module Buffer Overflow
    version68
  • accepted2011-05-16T04:03:26.446-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.
    familywindows
    idoval:org.mitre.oval:def:769
    statusaccepted
    submitted2005-08-02T12:00:00.000-04:00
    titleServer 2003,SP1 Color Management Module Buffer Overflow
    version68

Saint

bid14214
descriptionMicrosoft Color Management Module profile tag buffer overflow
idwin_patch_mcmm
osvdb17830
titlems_color_mgmt_profile_tag
typeclient

References