CVE-2006-5758
published 2006-11-06CVE-2006-5758: The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memory…
PriorityP269high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
6.33%
92.8th percentile
The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memory section that is mapped with read-only permissions, but can be remapped by other processes as read-write, which allows local users to cause a denial of service (memory corruption and crash) and gain privileges by modifying the kernel structures.
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-74g6-rhr7-4v93: The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memo
ghsa_unreviewed·2022-05-01
CVE-2006-5758 [HIGH] CWE-119 GHSA-74g6-rhr7-4v93: The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memo
The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memory section that is mapped with read-only permissions, but can be remapped by other processes as read-write, which allows local users to cause a denial of service (memory corruption and crash) and gain privileges by modifying the kernel structures.
VulnCheck
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2006·CVSS 7.2
CVE-2006-5758 [HIGH] Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memory section that is mapped with read-only permissions, but can be remapped by other processes as read-write, which allows local users to cause a denial of service (memory corruption and crash) and gain privileges by modifying the kernel structures.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://archive.f-secure.com/weblog/archives/00001507
No detection rules found.
Exploit-DB
Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
exploitdb·2007-04-26
CVE-2007-1215 Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
---
MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3804.zip (04262007-gdi_remote_elevation_privilege_exploit_ms07_017_principal.zip)
# milw0rm.com [2007-04-26]
Exploit-DB
Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
exploitdb·2007-04-17
CVE-2007-1215 Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
---
/*
GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)
Coded by Lionel d'Hauenens
http://www.labo-asso.com
Development:
Dev-C++ 4.9.9.2
Linked with /lib/libgdi32.a
References:
http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
http://research.eeye.com/html/alerts/zeroday/20061106.html
http://www.milw0rm.com/exploits/3688
http://ivanlef0u.free.fr/?p=41
March 16, 2007
*/
#include
#include
#include
typedef enum _SECTION_INFORMATION_CLASS
{
SectionBasicInformation,
SectionImageInformation
} SECTION_INFORMATION_CLASS;
typedef struct _SECTION_BASIC_INFORMATION {
ULONG Base;
ULONG Attributes;
LARGE_INTEGER Size;
} SECTION_BASIC_INFORMATION;
typedef struct _GDI_TABLE_ENTRY
{
PVOID pKernelInfo;
WOR
Exploit-DB
Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
exploitdb·2007-04-08
CVE-2007-1215 Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
---
#define _WIN32_WINNT 0x0500
#include
#include
#include
#pragma comment (lib, "user32.lib")
#pragma comment (lib, "gdi32.lib")
#pragma comment (lib, "shlwapi.lib")
#pragma comment (lib, "ntdll.lib")
/*
Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the
win32k's SSDT by 0x2.
before :
lkd> dps bf998300 L 2
bf998300 bf934921 win32k!NtGdiAbortDoc
bf998304 bf94648d win32k!NtGdiAbortPath
after :
lkd> dps bf998300 L 2
bf998300 00000002
bf998304 bf94648d win32k!NtGdiAbortPath
win32k.sys bDeleteBrush (called by DeleteObject)
mov esi, [edx] ;esi=pKernelInfo
cmp
No writeups or analysis indexed.
http://kernelwars.blogspot.com/2007/01/alive.htmlhttp://projects.info-pull.com/mokb/MOKB-06-11-2006.htmlhttp://secunia.com/advisories/22668http://securitytracker.com/id?1017168http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Erikssonhttp://www.securityfocus.com/archive/1/466186/100/200/threadedhttp://www.securityfocus.com/bid/20940http://www.vupen.com/english/advisories/2006/4358http://www.vupen.com/english/advisories/2007/1215https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017https://exchange.xforce.ibmcloud.com/vulnerabilities/30042https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2056http://kernelwars.blogspot.com/2007/01/alive.htmlhttp://projects.info-pull.com/mokb/MOKB-06-11-2006.htmlhttp://secunia.com/advisories/22668http://securitytracker.com/id?1017168http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Erikssonhttp://www.securityfocus.com/archive/1/466186/100/200/threadedhttp://www.securityfocus.com/bid/20940http://www.vupen.com/english/advisories/2006/4358http://www.vupen.com/english/advisories/2007/1215https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017https://exchange.xforce.ibmcloud.com/vulnerabilities/30042https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2056
2006-11-06
Published
Exploited in the wild