CVE-2008-1083
published 2008-04-08CVE-2008-1083: Heap-based buffer overflow in the CreateDIBPatternBrushPt function in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server…
PriorityP268high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
56.83%
98.9th percentile
Heap-based buffer overflow in the CreateDIBPatternBrushPt function in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute arbitrary code via an EMF or WMF image file with a malformed header that triggers an integer overflow, aka "GDI Heap Overflow Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Look for malformed EMF or WMF image files with crafted headers that trigger an integer overflow in CreateDIBPatternBrushPt, leading to a heap-based buffer overflow in GDI32.dll. ↗
- →Monitor for crashes or silent termination of Explorer.exe and Internet Explorer when processing EMF/WMF files, which may indicate exploitation attempts against CVE-2008-1083. ↗
- →Detect EMF files containing the EMR_COLORMATCHTOTARGETW record type with oversized or malformed data, associated with the second vulnerability in MS08-021. ↗
- ·The CreateDIBPatternBrushPt heap overflow PoC (exploit 6330) was noted as a work-in-progress and only demonstrated a crash, not arbitrary code execution, at time of publication. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) (MS08-021)
exploitdb·2008-10-02
CVE-2008-1087 Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) (MS08-021)
Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) (MS08-021)
---
EMR_COLORMATCHTOTARGETW stack buffer overflow exploit
By Ac!dDrop
This is one of the 2 Vulnerabilities of MS08-021
Tested on Windows xp professional SP1
GDi32.dll 5.1.2600.1106
kernel32.dll 5.1.2600.1106
ws2_32.dll 5.1.2600.0
calc.zip---> executes calculator
IE.zip and localhost.zip ------> connects at localhost at port 230
On Windows Xp Sp2 only causes Denial of service.
-(Vulnerable function guarded with a GS cookie)
-(The function which copies data to stack has an exception handler which recovers from access violations so u cant exploit it by hitting next page ).
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6656.tgz (2008-Gdi.tgz)
# milw0rm.com [2008-10-02]
Exploit-DB
Microsoft Windows - GDI (CreateDIBPatternBrushPt) Heap Overflow (PoC)
exploitdb·2008-08-29
CVE-2008-1083 Microsoft Windows - GDI (CreateDIBPatternBrushPt) Heap Overflow (PoC)
Microsoft Windows - GDI (CreateDIBPatternBrushPt) Heap Overflow (PoC)
---
CreateDIBPatternBrushPt Heap Overflow DOS
By Ac!dDrop
This was tested on
Windows XP Sp2
GDI32.dll 5.1.2600.3099
Internet explorer 6.0.2900.2180
Causes Explorer.exe to crash.
and causes Internet explorer to close silently.
This is work in progress , i am still trying to make it run arbitary code.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6330.rar (2008-EMF_DOS.rar)
# milw0rm.com [2008-08-29]
Exploit-DB
Microsoft Windows - GDI Image Parsing Stack Overflow (MS08-021)
exploitdb·2008-04-14
CVE-2008-1087 Microsoft Windows - GDI Image Parsing Stack Overflow (MS08-021)
Microsoft Windows - GDI Image Parsing Stack Overflow (MS08-021)
---
/////////////////////////////////////////////////////////////
///Exploit the MS08-021 : Stack Overflow on GDI API
///Author: Lamhtz
///Date: April 14th, 2008
///Usage: [filename]
///Function: Generate a crafted emf file which could
/// automatically run calc.exe in Win2kSP4 CHS Version
/// with MS07-046 patched but no MS08-021 is installed.
/// In Windows XP SP2, explorer.exe will crashed but
/// calc will not be run.
/////////////////////////////////////////////////////////////
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5442.zip (2008-exploit_08021.zip)
// milw0rm.com [2008-04-14]
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0168.htmlhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=681http://marc.info/?l=bugtraq&m=120845064910729&w=2http://secunia.com/advisories/29704http://support.microsoft.com/kb/948590http://www.kb.cert.org/vuls/id/632963http://www.osvdb.org/44213http://www.osvdb.org/44214http://www.securityfocus.com/archive/1/490584/100/0/threadedhttp://www.securityfocus.com/bid/28571http://www.securityfocus.com/bid/30933http://www.securitytracker.com/id?1019798http://www.us-cert.gov/cas/techalerts/TA08-099A.htmlhttp://www.vupen.com/english/advisories/2008/1145/referenceshttp://www.zerodayinitiative.com/advisories/ZDI-08-020/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-021https://exchange.xforce.ibmcloud.com/vulnerabilities/41471https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5441https://www.exploit-db.com/exploits/5442https://www.exploit-db.com/exploits/6330http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0168.htmlhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=681http://marc.info/?l=bugtraq&m=120845064910729&w=2http://secunia.com/advisories/29704http://support.microsoft.com/kb/948590http://www.kb.cert.org/vuls/id/632963http://www.osvdb.org/44213http://www.osvdb.org/44214http://www.securityfocus.com/archive/1/490584/100/0/threadedhttp://www.securityfocus.com/bid/28571http://www.securityfocus.com/bid/30933http://www.securitytracker.com/id?1019798http://www.us-cert.gov/cas/techalerts/TA08-099A.htmlhttp://www.vupen.com/english/advisories/2008/1145/referenceshttp://www.zerodayinitiative.com/advisories/ZDI-08-020/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-021https://exchange.xforce.ibmcloud.com/vulnerabilities/41471https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5441https://www.exploit-db.com/exploits/5442https://www.exploit-db.com/exploits/6330
2008-04-08
Published