Vulnerabilities > CVE-2005-2120 - Buffer Overflow vulnerability in Microsoft Windows 2000 and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 |
Exploit-Db
description MS Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047) (2). CVE-2005-2120. Dos exploit for windows platform id EDB-ID:1271 last seen 2016-01-31 modified 2005-10-24 published 2005-10-24 reporter Winny Thomas source https://www.exploit-db.com/download/1271/ title Microsoft Windows Plug-and-Play Umpnpmgr.dll DoS Exploit MS05-047 2 description MS Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047). CVE-2005-2120. Dos exploit for windows platform id EDB-ID:1269 last seen 2016-01-31 modified 2005-10-21 published 2005-10-21 reporter N/A source https://www.exploit-db.com/download/1269/ title Microsoft Windows Plug-and-Play Umpnpmgr.dll DoS Exploit MS05-047
Metasploit
| description | This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C. |
| id | MSF:AUXILIARY/DOS/WINDOWS/SMB/MS05_047_PNP |
| last seen | 2019-11-10 |
| modified | 2017-07-24 |
| published | 2006-12-03 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2120 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb |
| title | Microsoft Plug and Play Service Registry Overflow |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS05-047.NASL description The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data. An authenticated attacker could exploit this flaw by sending a malformed RPC request to the remote service and execute code within the SYSTEM context. last seen 2020-06-01 modified 2020-06-02 plugin id 20000 published 2005-10-11 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20000 title MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20000); script_version("1.37"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2005-2120"); script_bugtraq_id(15065); script_xref(name:"MSFT", value:"MS05-047"); script_xref(name:"CERT", value:"214572"); script_xref(name:"EDB-ID", value:"1271"); script_xref(name:"MSKB", value:"905749"); script_name(english:"MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)"); script_summary(english:"Determines the presence of update 905749"); script_set_attribute(attribute:"synopsis", value: "A flaw in the Plug and Play service could allow an authenticated attacker to execute arbitrary code on the remote host and therefore elevate his privileges."); script_set_attribute(attribute:"description", value: "The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data. An authenticated attacker could exploit this flaw by sending a malformed RPC request to the remote service and execute code within the SYSTEM context."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-047"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS05-047'; kb = '905749'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.1", sp:1, file:"umpnpmgr.dll", version:"5.1.2600.1734", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:2, file:"umpnpmgr.dll", version:"5.1.2600.2744", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"umpnpmgr.dll", version:"5.0.2195.7069", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_KB905749.NASL description The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data. An authenticated attacker may exploit this flaw by sending a malformed RPC request to the remote service and execute code with SYSTEM privileges. Note that authentication is not required against Windows 2000 if the MS05-039 patch is missing. last seen 2020-06-01 modified 2020-06-02 plugin id 21193 published 2007-03-12 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21193 title MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)
Oval
accepted 2011-05-16T04:00:39.436-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name John Hoyland organization Centennial Software name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call. family windows id oval:org.mitre.oval:def:1244 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Plug and Play User Data Validation Vulnerability (Windows 2000) version 70 accepted 2011-05-16T04:00:51.888-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call. family windows id oval:org.mitre.oval:def:1328 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Plug and Play User Data Validation Vulnerability (WinXP,SP1) version 69 accepted 2011-05-16T04:01:12.696-04:00 class vulnerability contributors name Robert L. Hollis organization ThreatGuard, Inc. name Dragos Prisaca organization Gideon Technologies, Inc. name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call. family windows id oval:org.mitre.oval:def:1519 status accepted submitted 2005-10-12T12:00:00.000-04:00 title Plug and Play User Data Validation Vulnerability (WinXP,SP2) version 70
References
- http://secunia.com/advisories/17166
- http://secunia.com/advisories/17172
- http://secunia.com/advisories/17223
- http://securityreason.com/securityalert/71
- http://securitytracker.com/id?1015042
- http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
- http://www.eeye.com/html/research/advisories/AD20051011c.html
- http://www.kb.cert.org/vuls/id/214572
- http://www.osvdb.org/18830
- http://www.securityfocus.com/bid/15065
- http://www.us-cert.gov/cas/techalerts/TA05-284A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-047
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1244
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1328
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1519