Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - MS05-047 Vulnerability in PnP Could Allow Remote Code Execution InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS05-047 Vulnerability in PnP Could Allow Remote Code Execution

Published: 2005-10-11
Last Updated: 2005-10-11 18:52:13 UTC
by Joshua Wright (Version: 1)
0 comment(s)
KB: 905749
CVE: CAN-2005-2120

This patch addresses a remote code of execution and local elevation of privilege vulnerability which exists in Plug and Play.  This vulnerability is similar to the one addressed by MS05-039, however,  it requires the attacker to have valid logon credentials to exploit the flaw.  For those that have not patched for MS05-039 under Windows 2000, this issue could be exploited remotely by anonymous users.  Windows XP SP2 computers must be able to log on locally in addition to having valid logon credentials for the administrator.  This patch replaces MS05-039 which was released in August of the Zotob worm fame.

The standard practice of blocking ports 139 and 445 TCP will help slow exploitation of this. Just remember that the road warriors who are connected to less firewalled locations can potentially bring any such activity inside your organization.

Microsoft rates this vulnerability as an Important Severity as it does require valid logon credentials to attack a host.  Knowing that many corporations and academic organizations use a common password for local administrator or other accounts on desktop computers, it is not unconceivable to me that this could be more critical then first look.  Any passwords that were compromised with MS05-039 (or any other patches in the past year) could be used to satisfy the need of local credentials in 2000 and XP systems prior to exploitation.  If all compromises of hosts in the past year or so resulted in all related passwords across the domain being changed, then this will be a mostly non-event.  If old passwords are still in use, then botnets or other malware will widely exploit this one in due time.
0 comment(s)
Diary Archives