cbcvebase.
CVE-2005-4560
published 2005-12-28

CVE-2005-4560: The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF)…

PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.48%
99.7th percentile
The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianwine< wine 0.9.2-1 (bookworm)wine 0.9.2-1 (bookworm)
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
winewine
winewine
winewine
winewine
winewine>= 0 < 0.9.2-10.9.2-1
winewine>= 0 < 0.9.2-10.9.2-1
winewine>= 0 < 0.9.2-10.9.2-1

Detection & IOCsextracted from sources · hover to see the quote

otherSETABORTPROC GDI Escape function (WMF Escape record, function byte 0x26)
filename*.wmf
pathgdi/driver.c
pathgdi/printdrv.c
pathwine/dlls/gdi/metafile.c
  • Detect WMF files containing an Escape() record with function number low-byte 0x26 (SETABORTPROC), which is the trigger for this exploit. The Metasploit module encodes this as `(rand(256) << 8) + 0x26` — the low byte is always 0x26.
  • The exploit generates a random WMF record stream per request to evade static signatures; detection should focus on the structural presence of the Escape() record with SETABORTPROC (0x26 low byte) rather than fixed byte sequences.
  • The WMF exploit payload is delivered with Content-Type 'text/plain' despite being a binary WMF file — anomalous MIME type for WMF delivery can be a detection signal.
  • The WMF Escape record in the exploit uses a Size field of 4 WORDs (packed as DWORD 4) followed by the SETABORTPROC function word and parameter count 9 — this specific record structure can be matched.
  • On Wine/Linux, monitor for SETABORTPROC GDI Escape calls originating from WMF file processing in gdi/driver.c or gdi/printdrv.c; Wine versions prior to 0.9.2-1 are vulnerable.
  • ·The Metasploit module randomizes the WMF record stream, WMF header fields (FileSize, NumOfObjects, MaxRecordSize, NumOfParams, Version), and the high byte of the Escape function number on every request, making purely static/hash-based detection unreliable.
  • ·Payload space is also randomized per request (1000 + rand(256)*4 bytes), so payload size alone cannot be used as a fixed detection threshold.
  • ·The Wine variant (CVE-2006-0106) affects a different codebase (gdi/driver.c, gdi/printdrv.c) than the original Windows GDI vulnerability; detection rules targeting Windows GDI may not cover Wine-based exploitation.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.