CVE-2008-1087
published 2008-04-08CVE-2008-1087: Stack-based buffer overflow in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
56.60%
98.9th percentile
Stack-based buffer overflow in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute arbitrary code via an EMF image file with crafted filename parameters, aka "GDI Stack Overflow Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows-nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets the EMR_COLORMATCHTOTARGETW record in EMF image files to trigger a stack-based buffer overflow in GDI32.dll via crafted filename parameters. ↗
- →Malicious EMF files crafted to exploit this vulnerability can be detected by scanning for anomalous EMR_COLORMATCHTOTARGETW records with oversized filename parameter fields. ↗
- →On Windows XP SP2, exploitation only causes a crash (DoS) of explorer.exe due to GS cookie protection on the vulnerable function; successful RCE is limited to unpatched Windows 2000 SP4 and XP SP1 targets. ↗
- ·Exploit was tested specifically against GDI32.dll version 5.1.2600.1106 (XP SP1); detection and exploitation behaviour may differ on other versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) (MS08-021)
exploitdb·2008-10-02
CVE-2008-1087 Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) (MS08-021)
Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) (MS08-021)
---
EMR_COLORMATCHTOTARGETW stack buffer overflow exploit
By Ac!dDrop
This is one of the 2 Vulnerabilities of MS08-021
Tested on Windows xp professional SP1
GDi32.dll 5.1.2600.1106
kernel32.dll 5.1.2600.1106
ws2_32.dll 5.1.2600.0
calc.zip---> executes calculator
IE.zip and localhost.zip ------> connects at localhost at port 230
On Windows Xp Sp2 only causes Denial of service.
-(Vulnerable function guarded with a GS cookie)
-(The function which copies data to stack has an exception handler which recovers from access violations so u cant exploit it by hitting next page ).
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6656.tgz (2008-Gdi.tgz)
# milw0rm.com [2008-10-02]
Exploit-DB
Microsoft Windows - GDI Image Parsing Stack Overflow (MS08-021)
exploitdb·2008-04-14
CVE-2008-1087 Microsoft Windows - GDI Image Parsing Stack Overflow (MS08-021)
Microsoft Windows - GDI Image Parsing Stack Overflow (MS08-021)
---
/////////////////////////////////////////////////////////////
///Exploit the MS08-021 : Stack Overflow on GDI API
///Author: Lamhtz
///Date: April 14th, 2008
///Usage: [filename]
///Function: Generate a crafted emf file which could
/// automatically run calc.exe in Win2kSP4 CHS Version
/// with MS07-046 patched but no MS08-021 is installed.
/// In Windows XP SP2, explorer.exe will crashed but
/// calc will not be run.
/////////////////////////////////////////////////////////////
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5442.zip (2008-exploit_08021.zip)
// milw0rm.com [2008-04-14]
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=120845064910729&w=2http://secunia.com/advisories/29704http://www.osvdb.org/44215http://www.securityfocus.com/bid/28570http://www.securitytracker.com/id?1019798http://www.us-cert.gov/cas/techalerts/TA08-099A.htmlhttp://www.vupen.com/english/advisories/2008/1145/referenceshttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-021https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5580https://www.exploit-db.com/exploits/5442https://www.exploit-db.com/exploits/6656http://marc.info/?l=bugtraq&m=120845064910729&w=2http://secunia.com/advisories/29704http://www.osvdb.org/44215http://www.securityfocus.com/bid/28570http://www.securitytracker.com/id?1019798http://www.us-cert.gov/cas/techalerts/TA08-099A.htmlhttp://www.vupen.com/english/advisories/2008/1145/referenceshttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-021https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5580https://www.exploit-db.com/exploits/5442https://www.exploit-db.com/exploits/6656
2008-04-08
Published