Vulnerability Note VU#214572

Microsoft Plug and Play fails to properly validate user supplied data

Original Release date: 11 Oct 2005 | Last revised: 27 Oct 2005

Overview

Microsoft Plug and Play contains a flaw in message buffer handling that may result in local or remote arbitrary code execution or a denial-of-service condition.

Description

The following is from the Microsoft Plug and Play description:

    Plug and Play (PnP) allows the operating system to detect new hardware when you install it on a system. For example, when you install a new mouse on your system, PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the new mouse.

The Plug and Play service in Microsoft Windows contains a buffer overflow that may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

A flaw in the methods used to validate user data in the Windows Plug and Play system may allow a remote, authenticated user to execute arbitrary code on some platforms. Note that on other platforms, the user must be a local, authenticated user and that the flaw cannot be exploited remotely.

This vulnerability is similar to the issue reported in MS05-039 (VU#998653). However, the issue reported in MS05-047 (VU#214572) is only exploitable by remote, authenticated attackers on Windows 2000 and Windows XP SP1, and is only exploitable by local, authenticated users on Windows XP SP2.

Proof of concept exploit code has been made public, with the implication that this is being routinely exploited.

Impact

A remote, authenticated user may be able to execute arbitrary code.

Solution

Apply an update
Please see Microsoft Security Bulletin MS05-047 for more information.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-11 Oct 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Microsoft reported this vulnerability, and in turn thank eEye Digital Security for information on the issue.

This document was written by Ken MacInnis.

Other Information

  • CVE IDs: CAN-2005-2120
  • Date Public: 11 Oct 2005
  • Date First Published: 11 Oct 2005
  • Date Last Updated: 27 Oct 2005
  • Severity Metric: 30.98
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.