Vulnerability Details : CVE-2005-2120

Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
Publish Date : 2005-10-13 Last Update Date : 2008-09-10

Collapse All Expand All Select Select&Copy	Scroll To Vendor Statements(0) Additional Vendor Data(0) OVAL Definitions(0) Vulnerable Products(0) # Of Vulns By Products References(0) Metasploit Modules(0)	Comments View User Comments Add Comment	External Links Secunia Advisories XForce Advisories Vulnerability Details at NVD Vulnerability Details at Mitre Nessus Plugins Linux Kernel Git Repository First CVSS Guide
Related Tweets Even more tweets Search Twitter Search YouTube Search Google

- CVSS Scores & Vulnerability Types

Cvss Score	6.5
Confidentiality Impact	Partial (There is considerable informational disclosure.)
Integrity Impact	Partial (Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited.)
Availability Impact	Partial (There is reduced performance or interruptions in resource availability.)
Access Complexity	Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication	Single system (The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface).)
Gained Access	User
Vulnerability Type(s)	Execute CodeOverflow
CWE ID	CWE id is not defined for this vulnerability

- Related OVAL Definitions

Title	Definition Id	Family
MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)	oval:gov.nist.fdcc.patch:def:214	windows
Plug and Play User Data Validation Vulnerability (Windows 2000)	oval:org.mitre.oval:def:1244	windows
Plug and Play User Data Validation Vulnerability (WinXP,SP1)	oval:org.mitre.oval:def:1328	windows
Plug and Play User Data Validation Vulnerability (WinXP,SP2)	oval:org.mitre.oval:def:1519	windows

OVAL (Open Vulnerability and Assessment Language) definitions define exactly what should be done to verify a vulnerability or a missing patch. Check out the OVAL definitions if you want to learn what you should do to verify a vulnerability.

- Products Affected By CVE-2005-2120

#	Product Type	Vendor	Product	Update	Edition	Language
1	OS	Microsoft	Windows 2000	SP4		FR	Details Vulnerabilities
2	OS	Microsoft	Windows Xp	SP1	Tablet Pc		Details Vulnerabilities
3	OS	Microsoft	Windows Xp	SP2	Tablet Pc		Details Vulnerabilities

- Number Of Affected Versions By Product

Vendor	Product	Vulnerable Versions
Microsoft	Windows 2000	1
Microsoft	Windows Xp	2

- References For CVE-2005-2120

http://securityreason.com/securityalert/71
SREASON 71

http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf CONFIRM

http://secunia.com/advisories/17166
SECUNIA 17166

http://www.osvdb.org/18830
OSVDB 18830

http://securitytracker.com/id?1015042
SECTRACK 1015042

http://www.eeye.com/html/research/advisories/AD20051011c.html
EEYE AD20051011c

http://www.securityfocus.com/bid/15065
BID 15065 Microsoft Windows Plug And Play UMPNPMGR.DLL wsprintfW Buffer Overflow Vulnerability Release Date:2009-07-12

http://technet.microsoft.com/en-us/security/bulletin/ms05-047
Microsoft Security Bulletin MS05-047

http://www.kb.cert.org/vuls/id/214572
CERT-VN VU#214572

http://www.us-cert.gov/cas/techalerts/TA05-284A.html
CERT TA05-284A

http://secunia.com/advisories/17223
SECUNIA 17223

http://secunia.com/advisories/17172
SECUNIA 17172

- Metasploit Modules Related To CVE-2005-2120

Microsoft Plug and Play Service Registry Overflow

This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.