CVE-2005-1983
Description
Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
- (no CPE)
cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
- (no CPE)range: = Service Pack 1
Patches
Vulnerability mechanics
Root cause
"An unchecked buffer in the Plug and Play service allows a stack-based buffer overflow when processing a specially crafted message."
Attack vector
On Windows 2000, an anonymous attacker can send a specially crafted packet to the affected system over the network, targeting TCP ports 139 or 445 [ref_id=1]. On Windows XP Service Pack 1, the attacker must be authenticated but can still send the malicious packet remotely. On Windows XP Service Pack 2 and Windows Server 2003, only a locally logged-on user (with administrative rights on Server 2003) can exploit the vulnerability by running a specially crafted application [ref_id=1]. The unchecked buffer in the PnP service overflows when processing the crafted input, allowing arbitrary code execution.
Affected code
The vulnerability resides in the Plug and Play (PnP) service, specifically an unchecked buffer within the service's handling of incoming messages [ref_id=1]. The advisory does not name a specific function or file path.
What the fix does
The security update corrects the vulnerability by ensuring the Plug and Play service properly validates the length of incoming messages before copying them into a buffer [ref_id=1]. No patch diff is included in the bundle; the advisory states that applying the update eliminates the unchecked buffer condition [ref_id=1].
Preconditions
- networkOn Windows 2000: no authentication required; attacker must be able to send network packets to TCP ports 139 or 445.
- authOn Windows XP SP1: attacker must have valid logon credentials and be able to send a crafted packet remotely.
- authOn Windows XP SP2 and Windows Server 2003: attacker must have local logon access (administrative rights on Server 2003).
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
21- www.us-cert.gov/cas/techalerts/TA05-221A.htmlnvdPatchUS Government Resource
- www.kb.cert.org/vuls/id/998653nvdUS Government Resource
- archives.neohapsis.com/archives/fulldisclosure/2005-08/0384.htmlnvd
- secunia.com/advisories/16372nvd
- securitytracker.com/idnvd
- www.ciac.org/ciac/bulletins/p-266.shtmlnvd
- www.frsirt.com/english/alerts/20050814.ZotobA.phpnvd
- www.hsc.fr/ressources/presentations/null_sessions/nvd
- www.osvdb.org/18605nvd
- www.securiteam.com/windowsntfocus/5YP0E00GKW.htmlnvd
- www.securityfocus.com/bid/14513nvd
- www.vupen.com/english/advisories/2005/1354nvd
- xforce.iss.net/xforce/alerts/id/202nvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-039nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/21602nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A100073nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A160nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A267nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A474nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A497nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A783nvd
News mentions
0No linked articles in our index yet.