cbcvebase.
CVE-2005-0058
published 2005-08-10

CVE-2005-0058: Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.05%
98.8th percentile
Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to elevate privileges or execute arbitrary code via a crafted message.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

other\RPC Control\tapsrvlpc
commandnet start "Telephony Service"
processlineSetAppPriorityW
  • Monitor for exploitation attempts targeting the TAPI LPC port named '\RPC Control\tapsrvlpc'; unexpected low-privileged processes connecting to this LPC port may indicate exploitation of CVE-2005-0058.
  • Detect calls to lineSetAppPriorityW with an oversized or malformed lpszAppFilename buffer (0x21A bytes of 0x58 fill followed by a crafted return address) as a sign of the heap/stack buffer overflow exploit.
  • Alert on the Telephony Service (tapisrv) spawning unexpected child processes (e.g., cmd.exe or arbitrary commands via CreateProcessA), which is the shellcode's execution mechanism after successful exploitation.
  • Watch for low-privileged processes attempting to start or interact with the 'Telephony' service immediately before suspicious activity, as the exploit requires the service to be running.
  • The shellcode uses a WinSta0\Default desktop string placed at offset +0x2f0 in the shared LPC section; scanning LPC message buffers for this pattern alongside a crafted return pointer may identify in-flight exploitation.
  • ·The exploit targets Windows 2000 SP0–SP4 (any language) specifically; the author notes it 'should work on Win2k sp0,sp1,sp2,sp3,sp4 any language', but the CVE also affects Windows 98/98SE/ME/XP/Server 2003 — detection logic should not be scoped only to Win2k.
  • ·The exploit requires the Telephony Service to be running; environments where this service is disabled are not directly exploitable via this proof-of-concept, though the underlying TAPI buffer overflow (MS05-040) remains unpatched without the official fix.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.