cbcvebase.
CVE-2005-1983
published 2005-08-10

CVE-2005-1983: Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute…

PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
93.41%
99.8th percentile
Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.

Detection & IOCsextracted from sources · hover to see the quote

port445
path\PIPE\browser
path\PIPE\ntsvcs
otherRPC Interface UUID: 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0 (pnp)
otherRPC Opnum 0x36 (54) - PNP_QueryResConfList
otherRPC Opnum 54 (0x36) via named pipe
otherReturn address in umpnpmgr.dll (Win2000 SP0-SP4 EN): 0x767a38f6
otherReturn address in umpnpmgr.dll (Win2000 SP0-SP4 pop/pop/ret): 0x767a1567
otherReturn address in umpnpmgr.dll (WinXP SP1 EN): 0x758c572a
otherResourceName passed to PNP_QueryResConfList: a\b\c
otherResourceID value in exploit: 0xffff (ResType_ClassSpecific)
bytes
SMB Negotiate packet: \x00\x00\x00\x85\xFF\x53\x4D\x42\x72
bytes
PNP RPC bind packet header: \x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00\xB8\x10\xB8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4E\x9F\x8D\x3D\xA0\xCE\x11\x8F\x69\x08\x00\x3E\x30\x05\x1B
  • Detect exploit traffic by monitoring for DCE/RPC bind requests to the PnP service interface UUID 8d9f4e40-a03d-11ce-8f69-08003e30051b over SMB named pipes (\PIPE\browser, \PIPE\ntsvcs, \PIPE\wkssvc, \PIPE\srvsvc) on TCP port 445.
  • Alert on DCE/RPC calls to opnum 54 (0x36) on the PnP interface (8d9f4e40-a03d-11ce-8f69-08003e30051b), which corresponds to PNP_QueryResConfList — the vulnerable function.
  • A failed exploit attempt causes services.exe (which hosts the PnP service) to crash and the system to automatically reboot — unexpected reboots of Windows 2000/XP systems should be investigated as potential exploitation attempts.
  • On Windows 2000, exploitation requires no valid credentials (anonymous/null session); detect unauthenticated SMB null sessions followed by DCE/RPC activity on the PnP pipe as a high-fidelity indicator.
  • Look for oversized CSD_LegacyData buffers (>= 0x7C0 bytes) in PNP_QueryResConfList RPC requests, which is the overflow vector; the exploit sets SDL=0x07C0 and fills a 0x7D0-byte SDA array.
  • Detect the Zotob/Mytob worm exploitation pattern: SMB connections to port 445 from external IPs followed by a bind shell callback on a high port (exploit opens a bind shell, e.g. port 8721 or user-specified port).
  • ·The exploit can use multiple named pipes (browser, srvsvc, wkssvc, ntsvcs) as the transport; detection rules must cover all four pipe names to avoid evasion by pipe substitution.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.