ID CVE-2005-2120
Summary Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_2000:-:sp4:-:fr
    cpe:2.3:o:microsoft:windows_2000:-:sp4:-:fr
  • Microsoft windows xp_sp1 tablet_pc
    cpe:2.3:o:microsoft:windows_xp:-:sp1:tablet_pc
  • Microsoft windows xp_sp2 tablet_pc
    cpe:2.3:o:microsoft:windows_xp:-:sp2:tablet_pc
CVSS
Base: 6.5 (as of 14-10-2005 - 11:42)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description MS Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047). CVE-2005-2120. Dos exploit for windows platform
    id EDB-ID:1269
    last seen 2016-01-31
    modified 2005-10-21
    published 2005-10-21
    reporter N/A
    source https://www.exploit-db.com/download/1269/
    title Microsoft Windows Plug-and-Play Umpnpmgr.dll DoS Exploit MS05-047
  • description MS Windows Plug-and-Play (Umpnpmgr.dll) DoS Exploit (MS05-047) (2). CVE-2005-2120. Dos exploit for windows platform
    id EDB-ID:1271
    last seen 2016-01-31
    modified 2005-10-24
    published 2005-10-24
    reporter Winny Thomas
    source https://www.exploit-db.com/download/1271/
    title Microsoft Windows Plug-and-Play Umpnpmgr.dll DoS Exploit MS05-047 2
metasploit via4
description This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.
id MSF:AUXILIARY/DOS/WINDOWS/SMB/MS05_047_PNP
last seen 2019-03-23
modified 2017-07-24
published 2006-12-03
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/smb/ms05_047_pnp.rb
title Microsoft Plug and Play Service Registry Overflow
nessus via4
  • NASL family Windows
    NASL id SMB_KB905749.NASL
    description The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data. An authenticated attacker may exploit this flaw by sending a malformed RPC request to the remote service and execute code with SYSTEM privileges. Note that authentication is not required against Windows 2000 if the MS05-039 patch is missing.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 21193
    published 2007-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21193
    title MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS05-047.NASL
    description The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data. An authenticated attacker could exploit this flaw by sending a malformed RPC request to the remote service and execute code within the SYSTEM context.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 20000
    published 2005-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20000
    title MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)
oval via4
  • accepted 2011-05-16T04:00:39.436-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name John Hoyland
      organization Centennial Software
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
    family windows
    id oval:org.mitre.oval:def:1244
    status accepted
    submitted 2005-10-12T12:00:00.000-04:00
    title Plug and Play User Data Validation Vulnerability (Windows 2000)
    version 69
  • accepted 2011-05-16T04:00:51.888-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
    family windows
    id oval:org.mitre.oval:def:1328
    status accepted
    submitted 2005-10-12T12:00:00.000-04:00
    title Plug and Play User Data Validation Vulnerability (WinXP,SP1)
    version 68
  • accepted 2011-05-16T04:01:12.696-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Dragos Prisaca
      organization Gideon Technologies, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
    family windows
    id oval:org.mitre.oval:def:1519
    status accepted
    submitted 2005-10-12T12:00:00.000-04:00
    title Plug and Play User Data Validation Vulnerability (WinXP,SP2)
    version 69
refmap via4
bid 15065
cert TA05-284A
cert-vn VU#214572
confirm http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf
eeye AD20051011c
ms MS05-047
osvdb 18830
sectrack 1015042
secunia
  • 17166
  • 17172
  • 17223
sreason 71
Last major update 10-09-2008 - 15:41
Published 13-10-2005 - 06:02
Last modified 12-10-2018 - 17:37
Back to Top