18830 : Microsoft Windows UMPNPMGR wsprintfW Remote Overflow
Printer | http://osvdb.org/18830 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
14	2229	almost 8 years ago	about 1 month ago	8 times	100%

Timeline

Disclosure Date
2005-10-12

Time to Patch
69 days

Description

A remote overflow exists in Microsoft Windows NT, 2000 & XP. The Microsoft Windows MSRPC Plug and Play service fails to validate user supplied data to the wsprintfW call within the code for UMPNPMGR, resulting in a stack buffer overflow. With a specially crafted request, a remote authenticated attacker can execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could also be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively. Both resulting in a loss of integrity to the system.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability for Windows 2000 and XP. Microsoft has not released a patch for the flaw affecting Windows NT 4.0 systems.

Products

Microsoft Corporation	Windows XP	SP2
	Windows XP	SP1
	Windows NT	4.0 SP1
		4.0 SP2
		4.0 SP3
		4.0 SP4
		4.0 SP5
		4.0 SP6a
	Windows 2000	SP4

References

Security Tracker: 1015042
Milw0rm: 1271
Exploit Database: 1271
Bugtraq ID: 15065
Secunia Advisory ID: 17166 17172 17223
SCIP VulDB ID: 1789
CVE ID: 2005-2120 (see also: NVD)
Keyword: 2005006318
CERT VU: 214572
ISS X-Force ID: 22481
Microsoft Knowledge Base Article: 905749
VUPEN Advisory: ADV-2005-2044
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-10/0259.html
http://archives.neohapsis.com:80/archives/vulnwatch/2005-q4/0012.html
Generic Informational URL: http://isc.sans.org/diary.php?storyid=748
Packet Storm: http://packetstormsecurity.org/0510-advisories/TA05-284A.txt
Other Advisory URL: http://research.eeye.com/html/advisories/published/AD20051011c.html
http://www.securiteam.com/windowsntfocus/6G00B0KEBG.html
https://www.auscert.org.au/render.html?it=5587
Vendor Specific Advisory URL: http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=361442&RenditionID=
Vendor URL: http://www.microsoft.com/
Generic Exploit URL: http://www.securiteam.com/exploits/6F0011PELS.html
http://www.securiteam.com/exploits/6V00M15EAY.html
Microsoft Security Bulletin: MS05-047

Tools & Filters

20000 21193

Snort

4253 4254 4255 4256 4257 4258 4259 4260 4261 4262 4263 4264 4265 4266 4267 4268 4269 4270 4271 4272 4273 4274 4275 4276 4277 4278 4279 4280 4281 4282 4283 4284 4285 4286 4287 4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302 4303 4304 4305 4306 4307 4308 4309 4310 4311 4312 4313 4314 4315 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4326 4327 4328 4329 4330 4331 4332 4333 ... and 48 more

Credit

Derek Soeder - eEye Digital Security

CVSSv2 Score

CVSSv2 Base Score = 6.5
Source: nvd.nist.gov | Generated: 2005-10-14 | Disagree?

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.