indows Plug and Play Remote Compromise

Type securityvulns
Reporter Securityvulns
Modified 2005-08-09T00:00:00


nternet Security Systems Protection Advisory August 9, 2005

Windows Plug and Play Remote Compromise


X-force has discovered a vulnerability in the Windows Plug and Play service. This vulnerability is remotely exploitable in the default configuration of Windows 2000, and is present in all modern Windows operating systems. There is a high probability that this vulnerability will be exploited in an automated fashion as part of a worm on Windows 2000.

ISS Protection Strategy:

ISS has provided preemptive protection for this vulnerability. We recommend that all customers apply applicable ISS product updates if they have not already done so.

Network Sensor 7.0, Proventia A and G100, G200, G1200: XPU 24.4 / 4/13/05 PlugAndPlay_BO

Proventia M and G400, G2000: XPU 1.43 / 4/13/05 PlugAndPlay_BO

Server Sensor 7.0: XPU 24.4 / 4/13/05 PlugAndPlay_BO

Proventia Desktop Version XPU 24.4 / 4/13/05 PlugAndPlay_BO

Desktop Protector 7.0: Version EOD / 4/13/05 PlugAndPlay_BO

Internet Scanner 7.0, SP2: XPU 7.2.10 / 8/9/04 WinMs05kb899588Update

These updates are available from the ISS Download Center at:

Business Impact:

Successful exploitation of this vulnerability could be leveraged to gain complete control over target systems, and might lead to malware installation, exposure of confidential information, or further network compromise. Due to the widespread use of the affected operating systems and the critical nature of component affected, it is likely that servers and desktops used for a wide variety of purposes are vulnerable to this issue.

Affected Products:

Windows 2000 up to and including SP4 with Security Rollup (Anonymous) Windows XP up to and including SP2 (Authenticated Users Only) Windows Server 2003 up to and including SP1 (Authenticated Users Only)


The Plug and Play service is a Windows DCE-RPC service that is designed to handle device installation, configuration, and notification of new devices. It starts automatically on modern versions of the Windows operating system, and runs in default configurations. On Windows 2000, this service is reachable via named pipes and a NULL session. It is not possible to disable this service without adversely affecting system operation.

This Plug and Play service contains a remotely exploitable stack-based overflow. It has been proven to be trivially exploitable, and X-Force is concerned that the overflow could be exploited automatically as part of a network-based worm used to attack Windows 2000-based systems.

The named-pipe needed to reach this service requires authentication on Windows XP and Windows Server 2003. On Windows XP SP2 and Windows Server 2003 those named-pipe are only available remotely to administrators. However, additional named pipe aliases are present on Windows 2000 which expose this service to an attacker with NULL session access. No authentication or user-interaction is required to exploit this vulnerability on Windows 2000.

At the time of publication, no exploits are available to the public at large. However, X-Force expects that exploits for this vulnerability will appear in the very near future.

Additional Information:

Microsoft Security Advisory:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-1983 to this issue. This is a candidate for inclusion in the CVE list (, which standardizes names for security problems.


This vulnerability was discovered and researched by Neel Mehta of the ISS X-Force.

About Internet Security Systems (ISS) Internet Security Systems, Inc. (ISS) is the trusted security expert to global enterprises and world governments, providing products and services that protect against Internet threats. An established world leader in security since 1994, ISS delivers proven cost efficiencies and reduces regulatory and business risk across the enterprise for more than 11,000 customers worldwide. ISS products and services are based on the proactive security intelligence conducted by ISS' X-Force research and development team тАУ the unequivocal world authority in vulnerability and threat research. Headquartered in Atlanta, Internet Security Systems has additional operations throughout the Americas, Asia, Australia, Europe and the Middle East.

Copyright (c) 2005 Internet Security Systems, Inc. All rights reserved worldwide.

This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws.

Disclaimer: The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and's key server, as well as at Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.