CVE-2005-1218
published 2005-08-10CVE-2005-1218: The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash)…
PriorityP339medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
61.18%
99.0th percentile
The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
03 00 00 27 22 E0 00 00 00 00 00 43 6F 6F 6B 69 65 3A 20 6D 73 74 73 68 61 73 68 3D 41 64 6D 69 6E 69 73 74 72 0D 0A
bytes↗
03 00 00 27 22 E0 00 00 00 00 00 43 6F 6F 6B 69 65 3A
bytes↗
000002020000
- →Exploit targets TCP port 3389 (RDP) with crafted connection requests containing a malformed or oversized 'Cookie: mstshash=' field followed by padding bytes (0x41), triggering a kernel crash in rdpwd.sys. ↗
- →The exploit sends an RDP X.224 Connection Request PDU (TPKT header 03 00, followed by E0 class byte) with a 'Cookie: mstshash=' value that is fuzzed/overflowed; monitor for anomalously large or malformed mstshash cookie values in RDP negotiation packets. ↗
- →Presence of the SPIKE fuzzer script file 'remoteass.spk' on a host or in network traffic is a strong indicator of exploitation attempts against CVE-2005-1218. ↗
- →The crafted RDP packet sequence includes a second packet with integer value 0x0500 and a third packet starting with bytes 000002020000; detecting this multi-packet sequence on port 3389 is indicative of the exploit. ↗
- ·The exploit was specifically tested against Windows XP SP2; the vulnerability also affects Windows 2000 Server and Windows Server 2003 per the NVD advisory, so detection rules should not be scoped to XP alone. ↗
- ·The SPIKE fuzzer is used to generate the malicious packets; the exploit file is a SPIKE script (.spk), meaning the actual byte patterns sent may vary depending on fuzzer iteration (s_string_variable fields are mutated), so static byte signatures may not catch all variants. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=112146383919436&w=2http://security-protocols.com/modules.php?name=News&file=article&sid=2783http://www.kb.cert.org/vuls/id/490628http://www.microsoft.com/technet/security/advisory/904797.mspxhttp://www.securityfocus.com/bid/14259http://www.us-cert.gov/cas/techalerts/TA05-221A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-041https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100092https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A180https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A346https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A609https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A618https://www.immunitysec.com/pipermail/dailydave/2005-July/002188.htmlhttp://marc.info/?l=bugtraq&m=112146383919436&w=2http://security-protocols.com/modules.php?name=News&file=article&sid=2783http://www.kb.cert.org/vuls/id/490628http://www.microsoft.com/technet/security/advisory/904797.mspxhttp://www.securityfocus.com/bid/14259http://www.us-cert.gov/cas/techalerts/TA05-221A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-041https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100092https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A180https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A346https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A609https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A618https://www.immunitysec.com/pipermail/dailydave/2005-July/002188.html
2005-08-10
Published