Vulnerabilities > CVE-2005-2120 - Unspecified vulnerability in Microsoft Windows 2000 and Windows XP

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
nessus
exploit available
metasploit

Summary

Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Exploit-Db

  • descriptionMS Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047) (2). CVE-2005-2120. Dos exploit for windows platform
    idEDB-ID:1271
    last seen2016-01-31
    modified2005-10-24
    published2005-10-24
    reporterWinny Thomas
    sourcehttps://www.exploit-db.com/download/1271/
    titleMicrosoft Windows Plug-and-Play Umpnpmgr.dll DoS Exploit MS05-047 2
  • descriptionMS Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047). CVE-2005-2120. Dos exploit for windows platform
    idEDB-ID:1269
    last seen2016-01-31
    modified2005-10-21
    published2005-10-21
    reporterN/A
    sourcehttps://www.exploit-db.com/download/1269/
    titleMicrosoft Windows Plug-and-Play Umpnpmgr.dll DoS Exploit MS05-047

Metasploit

descriptionThis module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.
idMSF:AUXILIARY/DOS/WINDOWS/SMB/MS05_047_PNP
last seen2019-11-10
modified2017-07-24
published2006-12-03
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2120
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb
titleMicrosoft Plug and Play Service Registry Overflow

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS05-047.NASL
    descriptionThe remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data. An authenticated attacker could exploit this flaw by sending a malformed RPC request to the remote service and execute code within the SYSTEM context.
    last seen2020-06-01
    modified2020-06-02
    plugin id20000
    published2005-10-11
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20000
    titleMS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(20000);
     script_version("1.37");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id("CVE-2005-2120");
     script_bugtraq_id(15065);
     script_xref(name:"MSFT", value:"MS05-047");
     script_xref(name:"CERT", value:"214572");
     script_xref(name:"EDB-ID", value:"1271");
     script_xref(name:"MSKB", value:"905749");
    
     script_name(english:"MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)");
     script_summary(english:"Determines the presence of update 905749");
    
     script_set_attribute(attribute:"synopsis", value:
    "A flaw in the Plug and Play service could allow an authenticated
    attacker to execute arbitrary code on the remote host and therefore
    elevate his privileges.");
     script_set_attribute(attribute:"description", value:
    "The remote host contains a version of the Plug and Play service that
    contains a vulnerability in the way it handles user-supplied data.
    
    An authenticated attacker could exploit this flaw by sending a malformed
    RPC request to the remote service and execute code within the SYSTEM
    context.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-047");
     script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/10/11");
     script_set_attribute(attribute:"patch_publication_date", value:"2005/10/11");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS05-047';
    kb = '905749';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.1", sp:1, file:"umpnpmgr.dll", version:"5.1.2600.1734", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:2, file:"umpnpmgr.dll", version:"5.1.2600.2744", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.0",       file:"umpnpmgr.dll", version:"5.0.2195.7069", dir:"\system32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows
    NASL idSMB_KB905749.NASL
    descriptionThe remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data. An authenticated attacker may exploit this flaw by sending a malformed RPC request to the remote service and execute code with SYSTEM privileges. Note that authentication is not required against Windows 2000 if the MS05-039 patch is missing.
    last seen2020-06-01
    modified2020-06-02
    plugin id21193
    published2007-03-12
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21193
    titleMS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)

Oval

  • accepted2011-05-16T04:00:39.436-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
    familywindows
    idoval:org.mitre.oval:def:1244
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titlePlug and Play User Data Validation Vulnerability (Windows 2000)
    version70
  • accepted2011-05-16T04:00:51.888-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
    familywindows
    idoval:org.mitre.oval:def:1328
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titlePlug and Play User Data Validation Vulnerability (WinXP,SP1)
    version69
  • accepted2011-05-16T04:01:12.696-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionStack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
    familywindows
    idoval:org.mitre.oval:def:1519
    statusaccepted
    submitted2005-10-12T12:00:00.000-04:00
    titlePlug and Play User Data Validation Vulnerability (WinXP,SP2)
    version70