|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 71 CVE : CVE-2005-2120 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Available : No Credit : Derek Soeder Published : 12.10.2005
Advisory Content : Windows UMPNPMGR wsprintfW Stack Buffer Overflow Vulnerability Release Date: October 11, 2005 Date Reported: August 3, 2005 Severity: High (Remote Code Execution with Authentication) Medium (Privilege Escalation to SYSTEM) Vendor: Microsoft Systems Affected: Windows NT 4.0 Windows 2000 Windows XP eEye ID #: EEYEB20050803 OSVDB #: 18830 CVE #: CAN-2005-2120 Overview: eEye Digital Security has discovered a vulnerability in the Windows Plug and Play Service that would allow an unprivileged user to execute arbitrary code with SYSTEM privileges on a remote Windows 2000 or XP SP1 system. On Windows XP SP2, this vulnerability could be exploited by an unprivileged user to gain full privileges on a system to which he is logged in interactively. This vulnerability is unrelated to the MS05-039 Plug and Play vulnerability, and is not resolved by the MS05-039 hotfix. We reported this vulnerability to Microsoft roughly a week before the MS05-039 patch was released, but they neglected to address the vulnerability in spite of our warnings. However, generic security measures instituted in the patch now prevent its anonymous exploitation, making the eminent threat an internal attack or mass compromise in a domain setting. Technical Details: UMPNPMGR.DLL hosts the Plug and Play or "PlugPlay" service, which provides an RPC interface for accessing device management and notification functionality. The service is default on Windows NT 4.0 and later, and in fact, support for it is hard-coded into the Service Control Manager in SERVICES.EXE. Due to its central importance, the service cannot be stopped once started, and attempting to disable it runs a high risk of rendering the system unusable. The code for UMPNPMGR contains a number of calls to wsprintfW to construct various formatted strings in stack buffers, and in two cases the user input is only validated by whether or not it corresponds to an existent subkey of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnum. Although this registry branch is protected from unprivileged modification, the assumption that any valid key name is safe can nevertheless be circumvented by supplying arbitrary lengths of consecutive backslashes; for example, "HTREEROOT\\0\\\\". The functions PNP_GetDeviceList (opnum 10) and PNP_GetDeviceListSize (opnum 11), on the UMPNPMGR interface {8D9F4E40-A03D-11CE-8F69-08003E30051B}, both exhibit this vulnerability. For the former, any valid subkey name may be passed in order to reach a vulnerable wsprintfW call, whereas the latter must receive a key name with an empty second (e.g., "HTREE\ROOT  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |