cbcvebase.
CVE-2005-2120
published 2005-10-13

CVE-2005-2120: Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local…

PriorityP353medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
63.06%
99.1th percentile
Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.

Detection & IOCsextracted from sources · hover to see the quote

filenameUmpnpmgr.dll
processservices.exe
port445
otherNTPLM SSP UUID: 404e9f8d-3da0-ce11-8f69-08003e30051b
bytes
\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8
bytes
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 b8 10 b8 10 00 00 00 00 01 00 00 00 00 00 01 00 40 4e 9f 8d 3d a0 ce 11 8f 69 08 00 3e 30 05 1b 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes
05 00 00 03 10 00 00 00 30 08 00 00 01 00 00 00 18 08 00 00 00 00 0a 00 44 f7 12 00 00 04 00 00 00 00 00 00 00 04 00 00 48 00 54 00 52 00 45 00 45 00 5c 00 52 00 4f 00 4f 00 54 00 5c 00
bytes
\x00\x00\x00\x9A\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x08\x01\xC0
bytes
\x00\x00\x08\x84\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc8
  • Detect DCE/RPC bind requests targeting the PnP service UUID (404e9f8d-3da0-ce11-8f69-08003e30051b) over SMB named pipe \PIPE\browser, especially from unauthenticated or anonymous sessions on Windows 2000 targets.
  • Alert on oversized DCE/RPC PNP_GetDeviceList requests (opnum 0x0a) over SMB — the exploit sends a ~2KB+ request body filled with repeated 0x5c 0x00 (backslash) wide-char sequences as the device filter string.
  • Monitor for services.exe crashes or unexpected restarts on Windows 2000/XP systems, which is the direct observable impact of successful exploitation.
  • Code execution may be possible if attacker-controlled memory is placed at addresses 0x00000030, 0x0030005C, or 0x005C005C — these are the exploit's target dereference addresses and can be used as memory forensic indicators.
  • ·The exploit targets Windows 2000 SP4 and earlier without authentication; Windows XP SP1 and earlier may also be affected but exploitation behavior may differ.
  • ·CVE-2005-2120 is distinct from CVE-2005-3644 and CVE-2006-6296, which are related but separate vulnerabilities in the same PNP_GetDeviceList code path; ensure detection rules are scoped correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.