CVE-2005-2123
published 2005-11-29CVE-2005-2123: Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to…
PriorityP260high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.08%
99.2th percentile
Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
d7 cd c6 9a 00 00 c6 fb ca 02 aa 02 39 09 e8 03 00 00 00 00 66 a6 01 00 09 00 00 03 ff ff ff 7f 00 00 ff ff ff ff 00 00
- →The vulnerability is in GDI32.DLL (Graphics Rendering Engine) via integer overflows in WMF/EMF parsing, specifically demonstrated through MRBP16::bCheckRecord; monitor for abnormal GDI32.DLL crashes or heap-based buffer overflows triggered by image rendering. ↗
- →Malicious WMF file begins with magic bytes D7 CD C6 9A; scan email attachments, web downloads, and file shares for WMF files bearing this header combined with mtNoObjects=0x0000. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5v2f-8gvc-fq7x: Multiple integer overflows in the Graphics Rendering Engine (GDI32
ghsa_unreviewed·2022-05-01
CVE-2005-2123 [HIGH] GHSA-5v2f-8gvc-fq7x: Multiple integer overflows in the Graphics Rendering Engine (GDI32
Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.
GHSA
GHSA-w94w-cg39-6r6h: The Windows Graphical Device Interface library (GDI32
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2005-4560 [HIGH] CWE-20 GHSA-w94w-cg39-6r6h: The Windows Graphical Device Interface library (GDI32
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.
VulnCheck
Microsoft Windows Improper Input Validation
vulncheck·2005·CVSS 7.5
CVE-2005-4560 [HIGH] Microsoft Windows Improper Input Validation
Microsoft Windows Improper Input Validation
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2005-4560; https://learn.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-001
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/17223http://secunia.com/advisories/17461http://secunia.com/advisories/17498http://securitytracker.com/id?1015168http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdfhttp://www.eeye.com/html/research/advisories/AD20051108b.htmlhttp://www.kb.cert.org/vuls/id/300549http://www.securityfocus.com/bid/15352http://www.us-cert.gov/cas/techalerts/TA05-312A.htmlhttp://www.vupen.com/english/advisories/2005/2348https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1063https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1175https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1263https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1546https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A701http://secunia.com/advisories/17223http://secunia.com/advisories/17461http://secunia.com/advisories/17498http://securitytracker.com/id?1015168http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdfhttp://www.eeye.com/html/research/advisories/AD20051108b.htmlhttp://www.kb.cert.org/vuls/id/300549http://www.securityfocus.com/bid/15352http://www.us-cert.gov/cas/techalerts/TA05-312A.htmlhttp://www.vupen.com/english/advisories/2005/2348https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-053https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1063https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1175https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1263https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1546https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A701
2005-11-29
Published