CVE-2005-4560
published 2005-12-28CVE-2005-4560: The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF)…
PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.48%
99.7th percentile
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wine | < wine 0.9.2-1 (bookworm) | wine 0.9.2-1 (bookworm) |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| wine | wine | — | — |
| wine | wine | — | — |
| wine | wine | — | — |
| wine | wine | — | — |
| wine | wine | >= 0 < 0.9.2-1 | 0.9.2-1 |
| wine | wine | >= 0 < 0.9.2-1 | 0.9.2-1 |
| wine | wine | >= 0 < 0.9.2-1 | 0.9.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect WMF files containing an Escape() record with function number low-byte 0x26 (SETABORTPROC), which is the trigger for this exploit. The Metasploit module encodes this as `(rand(256) << 8) + 0x26` — the low byte is always 0x26. ↗
- →The exploit generates a random WMF record stream per request to evade static signatures; detection should focus on the structural presence of the Escape() record with SETABORTPROC (0x26 low byte) rather than fixed byte sequences. ↗
- →The WMF exploit payload is delivered with Content-Type 'text/plain' despite being a binary WMF file — anomalous MIME type for WMF delivery can be a detection signal. ↗
- →The WMF Escape record in the exploit uses a Size field of 4 WORDs (packed as DWORD 4) followed by the SETABORTPROC function word and parameter count 9 — this specific record structure can be matched. ↗
- →On Wine/Linux, monitor for SETABORTPROC GDI Escape calls originating from WMF file processing in gdi/driver.c or gdi/printdrv.c; Wine versions prior to 0.9.2-1 are vulnerable. ↗
- ·The Metasploit module randomizes the WMF record stream, WMF header fields (FileSize, NumOfObjects, MaxRecordSize, NumOfParams, Version), and the high byte of the Escape function number on every request, making purely static/hash-based detection unreliable. ↗
- ·Payload space is also randomized per request (1000 + rand(256)*4 bytes), so payload size alone cannot be used as a fixed detection threshold. ↗
- ·The Wine variant (CVE-2006-0106) affects a different codebase (gdi/driver.c, gdi/printdrv.c) than the original Windows GDI vulnerability; detection rules targeting Windows GDI may not cover Wine-based exploitation. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2006-0106: wine - gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement ...
vendor_debian·2006·CVSS 7.5
CVE-2006-0106 [HIGH] CVE-2006-0106: wine - gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement ...
gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase.
Scope: local
bookworm: resolved (fixed in 0.9.2-1)
bullseye: resolved (fixed in 0.9.2-1)
sid: resolved (fixed in 0.9.2-1)
trixie: resolved (fixed in 0.9.2-1)
GHSA
GHSA-37h2-23m8-m8pm: An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-0020 [HIGH] GHSA-37h2-23m8-m8pm: An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5
An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability."
GHSA
GHSA-99rx-gg9c-3cmw: gdi/driver
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-0106 [HIGH] GHSA-99rx-gg9c-3cmw: gdi/driver
gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase.
GHSA
GHSA-w94w-cg39-6r6h: The Windows Graphical Device Interface library (GDI32
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2005-4560 [HIGH] CWE-20 GHSA-w94w-cg39-6r6h: The Windows Graphical Device Interface library (GDI32
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.
GHSA
GHSA-5mx2-xfx8-2r84: Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to ca
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-1211 [HIGH] GHSA-5mx2-xfx8-2r84: Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to ca
Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to cause a denial of service (possibly persistent restart) via a crafted Windows Metafile (WMF) image that causes an invalid dereference of an offset in a kernel structure, a related issue to CVE-2005-4560.
OSV
CVE-2006-0106: gdi/driver
osv·2006-01-06·CVSS 7.5
CVE-2006-0106 [HIGH] CVE-2006-0106: gdi/driver
gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase.
VulnCheck
Microsoft Windows Improper Input Validation
vulncheck·2005·CVSS 7.5
CVE-2005-4560 [HIGH] Microsoft Windows Improper Input Validation
Microsoft Windows Improper Input Validation
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2005-4560; https://learn.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-001
No detection rules found.
Exploit-DB
Microsoft Windows XP/Vista/2003 - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)
exploitdb·2010-09-20
CVE-2005-4560 Microsoft Windows XP/Vista/2003 - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)
Microsoft Windows XP/Vista/2003 - Metafile Escape() SetAbortProc Code Execution (MS06-001) (Metasploit)
---
##
# $Id: ms06_001_wmf_setabortproc.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution',
'Description' => %q{
This module exploits a vulnerability in the GDI library included with
Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
to execute arbitrary code through the SetAbortProc procedure. This module
gener
Metasploit
Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution
metasploit
Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution
Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution
This module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This module generates a random WMF record stream for each request.
http://linuxbox.org/pipermail/funsec/2006-January/002455.htmlhttp://secunia.com/advisories/18255http://secunia.com/advisories/18311http://secunia.com/advisories/18364http://secunia.com/advisories/18415http://securitytracker.com/id?1015416http://support.avaya.com/elmodocs2/security/ASA-2006-001.htmhttp://vil.mcafeesecurity.com/vil/content/v_137760.htmhttp://www.f-secure.com/weblog/archives/archive-122005.html#00000753http://www.kb.cert.org/vuls/id/181038http://www.microsoft.com/technet/security/advisory/912840.mspxhttp://www.securityfocus.com/archive/1/420288/100/0/threadedhttp://www.securityfocus.com/archive/1/420351/100/0/threadedhttp://www.securityfocus.com/archive/1/420357/100/0/threadedhttp://www.securityfocus.com/archive/1/420367/100/0/threadedhttp://www.securityfocus.com/archive/1/420378/100/0/threadedhttp://www.securityfocus.com/archive/1/420446/100/0/threadedhttp://www.securityfocus.com/archive/1/420546/30/7730/threadedhttp://www.securityfocus.com/archive/1/420664/30/7730/threadedhttp://www.securityfocus.com/archive/1/420682/100/0/threadedhttp://www.securityfocus.com/archive/1/420684/100/0/threadedhttp://www.securityfocus.com/archive/1/420687/100/0/threadedhttp://www.securityfocus.com/archive/1/420773/100/0/threadedhttp://www.securityfocus.com/bid/16074http://www.us-cert.gov/cas/techalerts/TA05-362A.htmlhttp://www.us-cert.gov/cas/techalerts/TA06-005A.htmlhttp://www.vupen.com/english/advisories/2005/3086http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375341http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-001https://exchange.xforce.ibmcloud.com/vulnerabilities/23846https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1431https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1433https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1460https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1492https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1564https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1612http://linuxbox.org/pipermail/funsec/2006-January/002455.htmlhttp://secunia.com/advisories/18255http://secunia.com/advisories/18311http://secunia.com/advisories/18364http://secunia.com/advisories/18415http://securitytracker.com/id?1015416http://support.avaya.com/elmodocs2/security/ASA-2006-001.htmhttp://vil.mcafeesecurity.com/vil/content/v_137760.htmhttp://www.f-secure.com/weblog/archives/archive-122005.html#00000753http://www.kb.cert.org/vuls/id/181038http://www.microsoft.com/technet/security/advisory/912840.mspxhttp://www.securityfocus.com/archive/1/420288/100/0/threadedhttp://www.securityfocus.com/archive/1/420351/100/0/threadedhttp://www.securityfocus.com/archive/1/420357/100/0/threadedhttp://www.securityfocus.com/archive/1/420367/100/0/threadedhttp://www.securityfocus.com/archive/1/420378/100/0/threadedhttp://www.securityfocus.com/archive/1/420446/100/0/threadedhttp://www.securityfocus.com/archive/1/420546/30/7730/threadedhttp://www.securityfocus.com/archive/1/420664/30/7730/threadedhttp://www.securityfocus.com/archive/1/420682/100/0/threadedhttp://www.securityfocus.com/archive/1/420684/100/0/threadedhttp://www.securityfocus.com/archive/1/420687/100/0/threadedhttp://www.securityfocus.com/archive/1/420773/100/0/threadedhttp://www.securityfocus.com/bid/16074http://www.us-cert.gov/cas/techalerts/TA05-362A.htmlhttp://www.us-cert.gov/cas/techalerts/TA06-005A.htmlhttp://www.vupen.com/english/advisories/2005/3086http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375341http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-001https://exchange.xforce.ibmcloud.com/vulnerabilities/23846https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1431https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1433https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1460https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1492https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1564https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1612
2005-12-28
Published
Exploited in the wild