Info

Disclosure

Oct 11, 2005

Discovery

Unknown

Dates

Exploit

Oct 21, 2005

Solution

Oct 11, 2005

Description

A remote overflow exists in Microsoft Windows NT, 2000 & XP. The Microsoft Windows MSRPC Plug and Play service fails to validate user supplied data to the wsprintfW call within the code for UMPNPMGR, resulting in a stack buffer overflow. With a specially crafted request, a remote authenticated attacker can execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could also be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively. Both resulting in a loss of integrity to the system.

Classification

Location: Local Access Required, Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified, Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability for Windows 2000 and XP. Microsoft has not released a patch for the flaw affecting Windows NT 4.0 systems.

Products

Microsoft Corporation	Windows	NT 4.0 SP6a
		NT 4.0 SP1
		NT 4.0 SP2
		NT 4.0 SP3
		NT 4.0 SP4
		NT 4.0 SP5
		XP SP2
		XP SP1
		2000 SP4

References

Security Tracker: 1015042
Milw0rm: 1271
Exploit Database: 1271
Bugtraq ID: 15065
Secunia Advisory ID: 17166 17172 17223
SCIP VulDB ID: 1789
CVE ID: 2005-2120 (see also: NVD)
Keyword: 2005006318
CERT VU: 214572
ISS X-Force ID: 22481
Microsoft Knowledge Base Article: 905749
VUPEN Advisory: ADV-2005-2044
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-10/0259.html
http://archives.neohapsis.com:80/archives/vulnwatch/2005-q4/0012.html
Generic Informational URL: http://isc.sans.org/diary.php?storyid=748
Packet Storm: http://packetstormsecurity.org/0510-advisories/TA05-284A.txt
Other Advisory URL: http://research.eeye.com/html/advisories/published/AD20051011c.html
http://www.securiteam.com/windowsntfocus/6G00B0KEBG.html
https://www.auscert.org.au/render.html?it=5587
Vendor Specific Advisory URL: http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=361442&RenditionID=
Vendor URL: http://www.microsoft.com/
Generic Exploit URL: http://www.securiteam.com/exploits/6F0011PELS.html
http://www.securiteam.com/exploits/6V00M15EAY.html
Microsoft Security Bulletin: MS05-047

Credit

Derek Soeder - dsoedereeye.com - eEye Digital Security

Direct URL: http://osvdb.org/18830

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

Windows

References

Credit