search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Plug and Play contains a buffer overflow vulnerability

Vulnerability Note VU#998653

Original Release Date: 2005-08-09 | Last Revised: 2005-11-15

Overview

Microsoft Plug and Play contains a flaw in the handling of message buffers that may result in local or remote arbitrary code execution or denial-of-service conditions.

Description

The following is from the Microsoft Plug and Play description:


    Plug and Play (PnP) allows the operating system to detect new hardware when you install it on a system. For example, when you install a new mouse on your system, PnP allows Windows to detect it, allows Windows to load the needed drivers, and allows Windows to begin using the new mouse.
The Plug and Play service in Microsoft Windows contains a buffer overflow that may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

According to Microsoft Security Advisory 899588:

Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users. However, because of a large application compatibility risk, we do not recommend customers enable this setting in production environments without first extensively testing the setting in their environment. For more information, search for RestrictAnonymous at the Microsoft Help and Support Web site.

While not the current target of this exploit code, it’s important to note that on Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts on Windows XP Service Pack 2 or Windows Server 2003. This is because of enhanced security built directly into the affected component. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 2 and Windows Server 2003 are not vulnerable remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.

While not the current target of this exploit code, it’s important to note that on Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts on Windows XP Service Pack 1. The existing exploit code is not designed to provide the authentication required to exploit this issue on these operating systems. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 1 systems are not vulnerable remotely by anonymous users.

This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.

Microsoft Security Advisory 906574 also notes the following limited scope of vulnerability for Windows XP SP1 in a non-default configuration:
    If Simple File Sharing is enabled on a Microsoft Windows XP system that is not joined to a domain, then all users who access this system through the network are forced to use the Guest account. This is the “Network access: Sharing and security model for local accounts security policy setting, and is also known as ForceGuest.

    Windows XP mitigates several security vulnerabilities by preventing users who do not have a valid logon credential from accessing the system remotely. An example of this is the vulnerability that is addressed in Microsoft Security Bulletin MS05-039. However, when you enable Simple File Sharing, the Guest account is also enabled and given permission to access the system through the network. Because the Guest account is a valid account when it is enabled, and is given permission to access the system through the network, an attacker could use the Guest account as if they had a valid user account.

    There is no known attack that is seeking to exploit this scenario.  The Advisory is being issued as a special precaution. There is no change to the update in Security Bulletin MS05-039. Customers who have applied this update are protected in this scenario.

    Mitigating Factors:

    Windows XP Service Pack 2 is not vulnerable remotely to the issue addressed by MS05-039 even when Simple File Sharing enables the Guest account. On Windows XP Service Pack 2, the impact of this vulnerability is only Local Privilege Elevation, and only exploitable if a user has the ability to logon locally to the system.
    Simple File Sharing is not available on Windows XP systems that are joined to a domain. Domain-joined systems use standard file sharing which does not enable the Guest account or give it permissions to access the system through the network. Windows XP Service Pack 2 is not vulnerable remotely in domain-joined systems or in workgroup-joined systems.
    Enabling Simple File Sharing does not expose customers who have applied the security updates provided by Microsoft Security Bulletin MS05-039 to the vulnerability that is addressed by that security bulletin.
Please note that multiple variants of exploit code for this vulnerability are publicly available. In addition, reports indicate that this vulnerability is being actively exploited by malicious software including the Zotob worm. The exploit code seen in the wild includes but is not limited to functionality that attempts to remove software (including anti-virus applications and other countermeasures) and that opens a backdoor that allows the computer to be remotely controlled through mediums such as Internet Relay Chat (IRC), known as a "zombie".

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows 2000.
A remote, unauthenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows XP SP1.

A local, authenticated attacker may be able to execute arbitrary code or to create a denial-of-service condition on Windows XP SP2 and Server 2003.

Solution

Apply An Update
Please see Microsoft Security Bulletin MS05-039 for information on fixes, updates, and workarounds.

Vendor Information

998653
 
Expand all

Microsoft Corporation Affected

Updated:  August 09, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS05-039 for information on fixes, updates, and workarounds.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported in Microsoft Security Advisory MS05-039. Microsoft credits Neel Mehta of ISS X-Force for reporting the issue and Jean-Baptiste Marchand of Herve Schauer Consultants for additional help with related issues.

This document was written by Ken MacInnis.

Other Information

CVE IDs: CVE-2005-1983
Severity Metric: 51.98
Date Public: 2005-08-09
Date First Published: 2005-08-09
Date Last Updated: 2005-11-15 19:29 UTC
Document Revision: 42

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis