SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  OS (Microsoft)  >  Windows UPnP (Ssdpsrv, others) Vendors:  Microsoft
Microsoft Windows Plug and Play Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014640
SecurityTracker URL:  http://securitytracker.com/id?1014640
CVE Reference:  CVE-2005-1983   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 9 2005
Impact:  Execution of arbitrary code via network, Root access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Advisory:  Microsoft Security Bulletin
Version(s): Windows 2000 SP4, XP SP1\SP2, XP Pro x64 Edition, Server 2003, SP1, Itanium-based Systems, Itanium-based Systems SP1, x64 Edition
Description:  A vulnerability was reported in Microsoft Windows Plug and Play. A remote user can execute arbitrary code on the target system.

A stack-based buffer overflow vulnerability exists in Plug and Play that allows a remote user to take complete control of the target system.

On Windows 2000, a remote user can send a specially crafted packet to exploit this vulnerability.

On Windows XP Service Pack 1, only a remote authenticated user can exploit this vulnerability in default configurations. On August 23, 2005, Microsoft issued a separate advisory (http://www.microsoft.com/technet/security/advisory/906574.mspx) clarifying that some non-default configurations of Windows XP SP1 are vulnerable to non-authenticated attacks. If Simple File Sharing is enabled, then the Guest account is also enabled and is permitted to access the system via the network. As a result, a remote user can use the Guest account to attempt to exploit the vulnerability against Windows XP SP1-based systems.

On Window XP Service Pack 2 and Windows Server 2003, only a remote authenticated administrator can access the affected component to trigger the vulnerability.

Exploit code is available for this vulnerability. The vendor indicates that the exploit code primarily affects Windows 2000 users.

A worm (Zotob.A and variants) that exploits this vulnerability is circulating. Microsoft has issued guidance, available at:

http://www.microsoft.com/security/incident/zotob.mspx

On August 16, 2005, several anti-virus vendors issued 'Medium' risk rating warnings for variants of the Zotob worm and for the W32.Esbot.A worm (also known as Backdoor.Win32.IRCBot.es, W32/IRCbot.gen, W32/Sdbot-ACG, and BKDR_RBOT.BD). These worms may attempt to open backdoor ports on the infected system or join an IRC channel. The worms attempt to exploit other unpatched systems on port 445.

Microsoft credits Neel Mehta of ISS X-Force with reporting this vulnerability and Jean-Baptiste Marchand of Herve Schauer Consultants for reporting a related issue.
Impact:  A remote user can execute arbitrary code on the target system with System level privileges.
Solution:  The vendor has issued the following fixes:

Microsoft Windows 2000 Service Pack 4:

http://www.microsoft.com/downloads/details.aspx?FamilyId=E39A3D96-1C37-47D2-82EF-0A C89905C88F

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?FamilyId=9A3BFBDD-62EA-4DB2- 88D2-415E095E207F

Microsoft Windows XP Professional x64 Edition:

http://www.microsoft.com/downloads/details.aspx?FamilyId=89D90E25-4773-4782-AD06-9B7517BAB3C8

Mi crosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6275D7B7-DAB1-47C8-8745-533EB471 072C

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems:

http://www.microsoft.com/download s/details.aspx?FamilyId=BE18D39D-3E4C-4C6F-B841-2CCD8D4C3F50

Microsoft Windows Server 2003 x64 Edition:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D97 6316D-3B17-4AD4-9198-513FFDAC98E4

A restart is required after the security update is applied.

On August 12, 2005, Microsoft indicated that exploit code is available but that customers that have applied the above listed fix are not affected by the recently released exploit code. Their advisory regarding the exploit code is available at:

http://www.microsoft.com/technet/security/advisory/899588.mspx
Vendor URL:  www.microsoft.com/technet/security/Bulletin/MS05-039.mspx (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)

Message History:   None.

 Source Message Contents
Date:  Sun, 7 Aug 2005 22:10:23 -0400
Subject:  http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

 
 
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC