cbcvebase.
CVE-2005-1219
published 2005-07-12

CVE-2005-1219: Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile…

PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
49.92%
98.8th percentile
Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.

Detection & IOCsextracted from sources · hover to see the quote

filenamesnooq.jpg
filenameeagl3.jpg
  • Exploit was tested against Windows XP SP1 with explorer.exe as the target process. Monitor explorer.exe for unexpected code execution or crashes when processing image files with embedded ICC profiles.
  • EIP overwrite offset in the PoC (snooq) is 0x336 bytes from the start of the crafted buffer; in the second exploit (eagl3) it is 0x3A0. Shellcode is placed at offset 0x246 with NOPs starting at 0x218 (NOP sled size 0x112). These offsets can be used to build detection signatures for the malicious ICC profile structure.
  • ·The icm32.dll code address (73B3214B) is specific to the version of icm32.dll present on the tested system and may differ across Windows versions and patch levels. Do not rely on this address as a universal detection indicator.
  • ·The EIP overwrite offset differs between the two PoC exploits (0x336 vs 0x3A0), indicating the exact offset is environment-dependent (OS version, SP level). Detection based solely on fixed offsets may miss variants.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.