HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2005-73
 Microsoft Plug and Play service Buffer Overflow Vulnerability

Original Issue Date: August 10, 2005

Severity Rating: High

Systems Affected

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1 and Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Overview

A vulnerability has been reported in Microsoft Plug and Play service which could be exploited by an attacker to gain complete control over target systems and enables him to install malware program, expose confidential information, or further network compromise.

Description

The Plug and Play service is a Windows DCE-RPC service that is designed to handle device installation, configuration, and notification of new devices. A vulnerability exists in the Microsoft Plug and Play service due to an unchecked buffer which may be exploited to cause a stack-based overflow.   It has been reported that the named-pipe needed to reach this service requires authentication on Windows XP and Windows Server 2003. On Windows 2000 additional named pipe aliases are present which expose this service to an attacker with NULL session access. No authentication or user-interaction is required to exploit this vulnerability on Windows 2000 systems.   It has also been reported that there is a high probability that this vulnerability is exploited on Windows 2000 systems in an automated fashion by creating a worm.

Workarounds

  • Block TCP ports 139 and 445 at the firewall
  • Use a personal firewall to mitigate network-based attack vectors
  • Enable advanced TCP/IP filtering on systems that support this feature
  • Block the affected ports by using IPsec on the affected systems.

Solution

Apply the appropriate patches as mentioned in Microsoft Security Bulletin MS05-039
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

References

Microsoft Security Bulletin MS05-039
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Internet Security Systems Protection Advisory
http://xforce.iss.net/xforce/alerts/id/202

CVE Name:
CAN-2005-1983

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003