cbcvebase.
CVE-2005-2124
published 2005-11-29

CVE-2005-2124: Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to "An unchecked…

PriorityP258high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
59.62%
99.0th percentile
Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to "An unchecked buffer" and possibly buffer overflows, allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, aka "Windows Metafile Vulnerability."

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

filenameMS053.wmf
bytes
d7 cd c6 9a 00 00 c6 fb ca 02 aa 02 39 09 e8 03 00 00 00 00 66 a6
bytes
d7 cd c6 9a 00 00 c6 fb ca 02 aa 02 39 09 e8 03 00 00 00 00 66 a6
  • Crafted WMF file with oversized mtSize (0x7fffffff) and mtMaxRecord (0xffffffff) fields in the header is a strong indicator of exploit attempt; inspect WMF headers for anomalous/maximum field values.
  • Crafted WMF file with mtSize and Largest record size both set to 0xffffffff causes 100% CPU utilization in Internet Explorer; detect WMF files with these fields set to maximum DWORD value.
  • The vulnerability is in GDI32.DLL's Graphics Rendering Engine when processing Windows Metafile (WMF) images; monitor for rendering of WMF files from remote/untrusted sources via Explorer or Internet Explorer on unpatched systems.

CVSS provenance

nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.