Vulnerabilities > CVE-2005-1983 - Buffer Overflow vulnerability in Microsoft Windows 2000 and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 2 |
Exploit-Db
description MS Windows Plug-and-Play Service Remote Overflow (MS05-039). CVE-2005-1983. Remote exploit for windows platform id EDB-ID:1146 last seen 2016-01-31 modified 2005-08-11 published 2005-08-11 reporter sl0ppy source https://www.exploit-db.com/download/1146/ title Microsoft Windows Plug-and-Play Service Remote Overflow MS05-039 description MS Windows Plug-and-Play Service Remote Universal Exploit (spanish fix). CVE-2005-1983. Remote exploit for windows platform id EDB-ID:1179 last seen 2016-01-31 modified 2005-08-25 published 2005-08-25 reporter RoMaNSoFt source https://www.exploit-db.com/download/1179/ title Microsoft Windows Plug-and-Play Service Remote Universal Exploit spanish fix description Microsoft Plug and Play Service Overflow. CVE-2005-1983. Dos exploit for windows platform id EDB-ID:16365 last seen 2016-02-01 modified 2010-08-30 published 2010-08-30 reporter metasploit source https://www.exploit-db.com/download/16365/ title Microsoft Plug and Play Service Overflow description MS Windows Plug-and-Play Service Remote Universal Exploit (MS05-039). CVE-2005-1983. Remote exploit for windows platform id EDB-ID:1149 last seen 2016-01-31 modified 2005-08-12 published 2005-08-12 reporter houseofdabus source https://www.exploit-db.com/download/1149/ title Microsoft Windows Plug-and-Play Service - Remote Universal Exploit MS05-039
Metasploit
description | This module exploits a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. NOTE: Since the PnP service runs inside the service.exe process, a failed exploit attempt will cause the system to automatically reboot. |
id | MSF:EXPLOIT/WINDOWS/SMB/MS05_039_PNP |
last seen | 2020-01-12 |
modified | 2017-07-24 |
published | 2006-07-31 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1983 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms05_039_pnp.rb |
title | MS05-039 Microsoft Plug and Play Service Overflow |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS05-039.NASL description The remote version of Windows contains a flaw in the function PNP_QueryResConfList() in the Plug and Play service that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Zotob) are known to exploit this vulnerability in the wild. last seen 2020-06-01 modified 2020-06-02 plugin id 19402 published 2005-08-09 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19402 title MS05-039: Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588) code # # Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(19402); script_version("1.45"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2005-1983"); script_bugtraq_id(14513); script_xref(name:"MSFT", value:"MS05-039"); script_xref(name:"CERT", value:"998653"); script_xref(name:"EDB-ID", value:"1146"); script_xref(name:"EDB-ID", value:"1179"); script_xref(name:"EDB-ID", value:"16365"); script_xref(name:"MSKB", value:"899588"); script_name(english:"MS05-039: Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)"); script_summary(english:"Determines the presence of update 899588"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host due to a flaw in the Plug-And-Play service."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a flaw in the function PNP_QueryResConfList() in the Plug and Play service that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Zotob) are known to exploit this vulnerability in the wild."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-039"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS05-039 Microsoft Plug and Play Service Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2005/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS05-039'; kb = '899588'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"umpnpmgr.dll", version:"5.2.3790.360", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.2", sp:1, file:"umpnpmgr.dll", version:"5.2.3790.2477", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"umpnpmgr.dll", version:"5.1.2600.1711", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"umpnpmgr.dll", version:"5.1.2600.2710", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", sp:4, file:"umpnpmgr.dll", version:"5.0.2195.7057", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
NASL family Windows NASL id SMB_KB899588.NASL description The remote version of Windows contains a flaw in the function last seen 2020-06-01 modified 2020-06-02 plugin id 19408 published 2005-08-09 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19408 title MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(19408); script_version("1.43"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2005-1983"); script_bugtraq_id(14513); script_xref(name:"MSFT", value:"MS05-039"); script_xref(name:"MSKB", value:"899588"); script_name(english:"MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)"); script_summary(english:"Determines the presence of update 899588 (remote check)"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host due to a flaw in the Plug-And-Play service."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a flaw in the function 'PNP_QueryResConfList()' in the Plug and Play service that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. A series of worms (Zotob) are known to exploit this vulnerability in the wild."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-039"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS05-039 Microsoft Plug and Play Service Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:microsoft:windows:pnpsvr"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl","smb_login.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(139,445); exit(0); } # include ('smb_func.inc'); global_var rpipe; function PNP_QueryResConfList (pipe) { local_var fid, data, rep, ret; fid = bind_pipe (pipe:pipe, uuid:"8d9f4e40-a03d-11ce-8f69-08003e30051b", vers:1); if (isnull (fid)) return 0; data = class_name (name:"tns") + raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0) + raw_dword (d:0); data = dce_rpc_pipe_request (fid:fid, code:0x36, data:data); if (!data) return 0; rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen(rep) != 8)) return 0; ret = get_dword (blob:rep, pos:4); if (ret != 0x05) return 0; return 1; } os = get_kb_item ("Host/OS/smb") ; if ( ("Windows 5.2" >< os) || ("Windows 4.0" >< os) ) exit(0); port = get_kb_item("SMB/transport"); if(!port)port = 445; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp(port); if ( ! soc ) exit(0); name = kb_smb_name(); session_init(socket:soc, hostname:name); if ( ( "Windows 5.1" >< os ) && get_kb_item("SMB/any_login") ) { rpipe = "\svcctl"; rand_lg = string ( "nessus", rand(), rand(), rand() ); rand_pw = string ( "nessus", rand(), rand(), rand() ); r = NetUseAdd(login:rand_lg, password:rand_pw, share:"IPC$"); } else { rpipe = "\srvsvc"; r = NetUseAdd(share:"IPC$"); } if ( r == 1 ) { ret = PNP_QueryResConfList(pipe:rpipe); if (ret == 1) security_hole(port:port); NetUseDel(); }
Oval
accepted 2011-05-09T04:00:02.722-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc.
description Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. family windows id oval:org.mitre.oval:def:100073 status accepted submitted 2005-08-16T12:00:00.000-04:00 title Windows XP (64-bit) PnP Buffer Overflow version 67 accepted 2016-02-19T10:00:00.000-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
description Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. family windows id oval:org.mitre.oval:def:160 status accepted submitted 2006-09-22T05:40:00.000-04:00 title Windows Server 2003 Plug and Play Buffer Overflow Vulnerability version 69 accepted 2016-02-19T10:00:00.000-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
description Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. family windows id oval:org.mitre.oval:def:267 status accepted submitted 2006-09-22T05:40:00.000-04:00 title Windows XP Plug and Play Buffer Overflow Vulnerability version 70 accepted 2016-02-19T10:00:00.000-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
description Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. family windows id oval:org.mitre.oval:def:474 status accepted submitted 2006-09-22T05:40:00.000-04:00 title Windows 2000 Plug and Play Buffer Overflow Vulnerability version 67 accepted 2016-02-19T10:00:00.000-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Robert L. Hollis organization ThreatGuard, Inc. name Dragos Prisaca organization Gideon Technologies, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
description Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. family windows id oval:org.mitre.oval:def:497 status accepted submitted 2006-09-22T05:40:00.000-04:00 title Windows XP,SP2 Plug and Play Buffer Overflow Vulnerability version 72 accepted 2016-02-19T10:00:00.000-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Jonathan Baker organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
description Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. family windows id oval:org.mitre.oval:def:783 status accepted submitted 2006-09-22T05:40:00.000-04:00 title Windows Server 2003 Plug and Play Buffer Overflow Vulnerability version 71
Packetstorm
data source | https://packetstormsecurity.com/files/download/83078/ms05_039_pnp.rb.txt |
id | PACKETSTORM:83078 |
last seen | 2016-12-05 |
published | 2009-11-26 |
reporter | H D Moore |
source | https://packetstormsecurity.com/files/83078/Microsoft-Plug-and-Play-Service-Overflow.html |
title | Microsoft Plug and Play Service Overflow |
Saint
bid | 14513 |
description | Windows Plug and Play buffer overflow |
id | win_patch_plugplay |
osvdb | 18605 |
title | windows_plug_play |
type | remote |
Seebug
bulletinFamily | exploit |
description | <p>漏洞描述:</p><p>Microsoft Windows即插即用(PnP)功能允许操作系统在安装新硬件时能够检测到这些设备。Microsoft Windows即插即用功能中存在缓冲区溢出漏洞,成功利用这个漏洞的攻击者可以完全控制受影响的系统。 起因是PnP服务处理包含有过多数据的畸形消息的方式。在Windows 2000上,匿名用户可以通过发送特制消息来利用这个漏洞;在Windows XP Service Pack 1上,只有通过认证的用户才能发送恶意消息;在Windows XP Service Pack 2和Windows Server 2003上,攻击者必需本地登陆到系统然后运行特制的应用程序才能利用这个漏洞。 目前已经出现了利用此漏洞进行传播的网络蠕虫。</p><p>漏洞影响:</p><p>CVE-ID:CVE-2005-1983 </p><p>CNNVD-ID:CNNVD-200508-080</p><p>CNVD-ID:CNVD-2005-2731 </p><p>解决方案:</p><p> </p><p>Microsoft</p><p> --------- </p><p>Microsoft已经为此发布了一个安全公告(MS05-039)以及相应补丁:MS05-039:Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)链接:<a href="http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx?pf=true">http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx?pf=true</a></p><p>补丁下载:</p><p>Microsoft Windows 2000 Service Pack 4 ?C </p><p>下载更新:<a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=E39A3D96-1C37-47D2-82EF-0AC89905C88F">http://www.microsoft.com/downloads/details.aspx?FamilyId=E39A3D96-1C37-47D2-82EF-0AC89905C88F</a> </p><p>Microsoft Windows XP Service Pack 1和Microsoft Windows XP Service Pack 2 ?C</p><p> 下载更新:<a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=9A3BFBDD-62EA-4DB2-88D2-415E095E207F">http://www.microsoft.com/downloads/details.aspx?FamilyId=9A3BFBDD-62EA-4DB2-88D2-415E095E207F</a> </p><p>Microsoft Windows XP Professional x64 Edition ?C </p><p>下载更新:<a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=89D90E25-4773-4782-AD06-9B7517BAB3C8">http://www.microsoft.com/downloads/details.aspx?FamilyId=89D90E25-4773-4782-AD06-9B7517BAB3C8</a> </p><p>Microsoft Windows Server 2003和Microsoft Windows Server 2003 Service Pack 1 ?C </p><p>下载更新:<a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=6275D7B7-DAB1-47C8-8745-533EB471072C">http://www.microsoft.com/downloads/details.aspx?FamilyId=6275D7B7-DAB1-47C8-8745-533EB471072C</a> </p><p>Microsoft Windows Server 2003 for Itanium-based Systems和Microsoft Windows Server 2003 with SP1 for Itanium-based Systems ?C </p><p>下载更新:<a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=BE18D39D-3E4C-4C6F-B841-2CCD8D4C3F50">http://www.microsoft.com/downloads/details.aspx?FamilyId=BE18D39D-3E4C-4C6F-B841-2CCD8D4C3F50</a> </p><p>Microsoft Windows Server 2003 x64 Edition ?C </p><p>下载更新:<a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=D976316D-3B17-4AD4-9198-513FFDAC98E4">http://www.microsoft.com/downloads/details.aspx?FamilyId=D976316D-3B17-4AD4-9198-513FFDAC98E4</a></p> |
id | SSV:13648 |
last seen | 2017-11-19 |
modified | 2005-08-12 |
published | 2005-08-12 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-13648 |
title | MS Windows Plug-and-Play Service Remote Universal Exploit (MS05-039) |
References
- http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0384.html
- http://secunia.com/advisories/16372
- http://securitytracker.com/id?1014640
- http://www.ciac.org/ciac/bulletins/p-266.shtml
- http://www.frsirt.com/english/alerts/20050814.ZotobA.php
- http://www.hsc.fr/ressources/presentations/null_sessions/
- http://www.kb.cert.org/vuls/id/998653
- http://www.osvdb.org/18605
- http://www.securiteam.com/windowsntfocus/5YP0E00GKW.html
- http://www.securityfocus.com/bid/14513
- http://www.us-cert.gov/cas/techalerts/TA05-221A.html
- http://www.vupen.com/english/advisories/2005/1354
- http://xforce.iss.net/xforce/alerts/id/202
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-039
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21602
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100073
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A160
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A267
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A474
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A497
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A783