CVE-2005-2120
Description
Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*
- (no CPE)range: <= SP4
cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*+ 2 more
- cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*
- (no CPE)range: <= SP2
Patches
Vulnerability mechanics
Root cause
"Missing input length validation in the Plug and Play service allows a stack-based buffer overflow in wsprintfW when processing registry key names with excessive backslash characters."
Attack vector
An authenticated attacker sends a specially crafted network message containing an excessive number of backslash characters in a registry key name to the Plug and Play service on a target system. The PnP service passes this oversized input to `wsprintfW` without proper length validation, causing a stack-based buffer overflow [ref_id=1]. On Windows 2000 and XP SP1, authenticated remote users can trigger this; on XP SP2, only local administrative users can reach the vulnerable component [ref_id=1].
Affected code
The vulnerability resides in the Plug and Play (PnP) service, specifically in the UMPNPMGR.DLL module. The flaw is a stack-based buffer overflow triggered in a `wsprintfW` function call when processing registry key names containing a large number of backslash (`\`) characters [ref_id=1].
What the fix does
The security update modifies the Plug and Play service to properly validate the length of a message before passing it to the allocated buffer [ref_id=1]. By adding bounds checking on the registry key name input, the fix prevents the oversized backslash string from overflowing the stack buffer in the `wsprintfW` call [ref_id=1].
Preconditions
- authAttacker must have valid logon credentials (authenticated user)
- networkOn Windows 2000 and XP SP1, the attacker can be remote; on XP SP2, the attacker must be able to log on locally
- configOn Windows 2000 without MS05-039, anonymous users could exploit this remotely
- inputAttacker must send a crafted message with a large number of backslash characters in a registry key name
Reproduction
The bundle includes a reference to a public exploit at http://www.securityfocus.com/bid/15065, but no reproduction steps are provided in the reference write-ups or exploit references. Therefore, specific reproduction steps cannot be reconstructed from the available information.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- secunia.com/advisories/17166nvdPatchVendor Advisory
- securitytracker.com/idnvdPatch
- www.eeye.com/html/research/advisories/AD20051011c.htmlnvdPatchVendor Advisory
- www.securityfocus.com/bid/15065nvdExploitPatch
- www.kb.cert.org/vuls/id/214572nvdThird Party AdvisoryUS Government Resource
- www.us-cert.gov/cas/techalerts/TA05-284A.htmlnvdThird Party AdvisoryUS Government Resource
- secunia.com/advisories/17172nvd
- secunia.com/advisories/17223nvd
- securityreason.com/securityalert/71nvd
- support.avaya.com/elmodocs2/security/ASA-2005-214.pdfnvd
- www.osvdb.org/18830nvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-047nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1244nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1328nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1519nvd
News mentions
0No linked articles in our index yet.