CVE-2005-1219
published 2005-07-12CVE-2005-1219: Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile…
PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
49.92%
98.8th percentile
Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit was tested against Windows XP SP1 with explorer.exe as the target process. Monitor explorer.exe for unexpected code execution or crashes when processing image files with embedded ICC profiles. ↗
- →EIP overwrite offset in the PoC (snooq) is 0x336 bytes from the start of the crafted buffer; in the second exploit (eagl3) it is 0x3A0. Shellcode is placed at offset 0x246 with NOPs starting at 0x218 (NOP sled size 0x112). These offsets can be used to build detection signatures for the malicious ICC profile structure. ↗
- ·The icm32.dll code address (73B3214B) is specific to the version of icm32.dll present on the tested system and may differ across Windows versions and patch levels. Do not rely on this address as a universal detection indicator. ↗
- ·The EIP overwrite offset differs between the two PoC exploits (0x336 vs 0x3A0), indicating the exact offset is environment-dependent (OS version, SP level). Detection based solely on fixed offsets may miss variants. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cr6g-748f-gvr6: Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC p
ghsa_unreviewed·2022-05-01
CVE-2005-1219 [HIGH] GHSA-cr6g-748f-gvr6: Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC p
Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.
VulnCheck
Microsoft image_color_management Out-of-bounds Write
vulncheck·2005·CVSS 7.5
CVE-2005-1219 [HIGH] Microsoft image_color_management Out-of-bounds Write
Microsoft image_color_management Out-of-bounds Write
Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.
Affected: Microsoft image_color_management
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-036
No detection rules found.
Exploit-DB
Microsoft Windows - Color Management Module Overflow (MS05-036) (2)
exploitdb·2006-02-17
CVE-2005-1219 Microsoft Windows - Color Management Module Overflow (MS05-036) (2)
Microsoft Windows - Color Management Module Overflow (MS05-036) (2)
---
/*
\ MS05-036 ICC Stack Overflow Exploit
/ by Darkeagle
\
/ GreetZ: all unl0ckerz, ed, f0st, uf0, sowhat, str0ke, #black, redsand
\
/
\ special tnx to snooq for his PoC.
/
\
/ xploit was tested on WinXP SP1 RUS with explorer.exe
\
/ 02.08.05
\
/ http://eagle.blacksecurity.org
\
*/
#include
#include
#include
#define TARGET 1
#define NOP 0x90
#define FNAME "eagl3.jpg"
#define BSIZE sizeof(buff)-1
#define EIP_OFFSET 0x3A0
#define SC_OFFSET 0x246
#define NOP_OFFSET 0x218
#define NOP_SIZE 0x112
#define tag_content_offset 0x23E // file buffer offset craft stuff
#define content_size_offset 0xE2 // tag content buffer size
#define no_access_violate 0x32E // avoid access violate
#define no_access_violate2 0x32E+12 // avoid
Exploit-DB
Microsoft Windows - Color Management Module Overflow (MS05-036) (1)
exploitdb·2005-07-21
CVE-2005-1219 Microsoft Windows - Color Management Module Overflow (MS05-036) (1)
Microsoft Windows - Color Management Module Overflow (MS05-036) (1)
---
/*
* Author: snooq [http://www.redpuffer.net/snooq/web/]
* Date: 21 July 2005
*
* When I looked at the PoC posted on bugtraq....
* I was basically quite disappointed. The 'PoC' fixed
* 'tag count' to a large number.. but this code path
* does not seem to be exploitable... GetColorProfileElement
* crashes becoz it hits the page boundary while enumerating
* the tags...this simply triggers 'Access Violation' before
* we even overwrite anything in the memory...
*
* well.. at least that is what I see in SoftICE... tell me if
* it's wrong...
*
* anyway.. I decided to dig deeper...and I was lucky enuff
* to uncover a more promising path...
*
* by controlling the size field of 'redMatrixColumnTag'...
* we are able to trick '
No writeups or analysis indexed.
http://secunia.com/advisories/16004/http://www.kb.cert.org/vuls/id/720742http://www.securityfocus.com/bid/14214http://www.us-cert.gov/cas/techalerts/TA05-193A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-036https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1125https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1280https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A330https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A440https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A769http://secunia.com/advisories/16004/http://www.kb.cert.org/vuls/id/720742http://www.securityfocus.com/bid/14214http://www.us-cert.gov/cas/techalerts/TA05-193A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-036https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1125https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1280https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A330https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A440https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A769
2005-07-12
Published
Exploited in the wild