Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Microsoft)  >   Windows UPnP (Ssdpsrv, others) Vendors:   Microsoft
Microsoft Windows Plug and Play Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014640
SecurityTracker URL:
CVE Reference:   CVE-2005-1983   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 9 2005
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Windows 2000 SP4, XP SP1\SP2, XP Pro x64 Edition, Server 2003, SP1, Itanium-based Systems, Itanium-based Systems SP1, x64 Edition
Description:   A vulnerability was reported in Microsoft Windows Plug and Play. A remote user can execute arbitrary code on the target system.

A stack-based buffer overflow vulnerability exists in Plug and Play that allows a remote user to take complete control of the target system.

On Windows 2000, a remote user can send a specially crafted packet to exploit this vulnerability.

On Windows XP Service Pack 1, only a remote authenticated user can exploit this vulnerability in default configurations. On August 23, 2005, Microsoft issued a separate advisory ( clarifying that some non-default configurations of Windows XP SP1 are vulnerable to non-authenticated attacks. If Simple File Sharing is enabled, then the Guest account is also enabled and is permitted to access the system via the network. As a result, a remote user can use the Guest account to attempt to exploit the vulnerability against Windows XP SP1-based systems.

On Window XP Service Pack 2 and Windows Server 2003, only a remote authenticated administrator can access the affected component to trigger the vulnerability.

Exploit code is available for this vulnerability. The vendor indicates that the exploit code primarily affects Windows 2000 users.

A worm (Zotob.A and variants) that exploits this vulnerability is circulating. Microsoft has issued guidance, available at:

On August 16, 2005, several anti-virus vendors issued 'Medium' risk rating warnings for variants of the Zotob worm and for the W32.Esbot.A worm (also known as, W32/IRCbot.gen, W32/Sdbot-ACG, and BKDR_RBOT.BD). These worms may attempt to open backdoor ports on the infected system or join an IRC channel. The worms attempt to exploit other unpatched systems on port 445.

Microsoft credits Neel Mehta of ISS X-Force with reporting this vulnerability and Jean-Baptiste Marchand of Herve Schauer Consultants for reporting a related issue.

Impact:   A remote user can execute arbitrary code on the target system with System level privileges.
Solution:   The vendor has issued the following fixes:

Microsoft Windows 2000 Service Pack 4:

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2:

Microsoft Windows XP Professional x64 Edition:

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1:

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems:

Microsoft Windows Server 2003 x64 Edition:

A restart is required after the security update is applied.

On August 12, 2005, Microsoft indicated that exploit code is available but that customers that have applied the above listed fix are not affected by the recently released exploit code. Their advisory regarding the exploit code is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC