CVE-2011-5046
published 2011-12-30CVE-2011-5046: The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2…
PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
45.46%
98.6th percentile
The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted data, as demonstrated by a large height attribute of an IFRAME element rendered by Safari, aka "GDI Access Violation Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Crash originates from win32k!NtGdiDrawStream syscall — monitor or block calls to NtGdiDrawStream with anomalous/large stream parameters from browser renderer processes ↗
- →Exploit is triggered via a crafted IFRAME element with a large height attribute rendered by Apple Safari on Windows — inspect HTTP responses containing IFRAME tags with abnormally large height values ↗
- →Call chain passes through win32k!EngDrawStream and win32k!NtGdiDrawStreamInternal before the fault — kernel crash (BSoD) via PAGE_FAULT_IN_NONPAGED_AREA (0x50) is the observable symptom ↗
- →Fault occurs inside win32k!memmove called from win32k!NtGdiUpdateTransform — memory corruption in win32k.sys GDI path is the root cause; kernel crash bugcheck 0x50 (PAGE_FAULT_IN_NONPAGED_AREA) is the DoS indicator ↗
- ·Exploit was demonstrated specifically against Apple Safari on Windows 7 x64; other browsers may not trigger the vulnerable GdiDrawStream code path in the same way ↗
- ·Vulnerability affects a wide range of Windows versions (XP SP2/SP3, Server 2003 SP2, Vista SP2, Server 2008 SP2/R2/R2 SP1, Windows 7 Gold/SP1) — detection and patching scope must cover all listed platforms ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/77908http://secunia.com/advisories/47237http://twitter.com/w3bd3vil/statuses/148454992989261824http://www.exploit-db.com/exploits/18275http://www.securitytracker.com/id?1026450http://www.us-cert.gov/cas/techalerts/TA12-045A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-008https://exchange.xforce.ibmcloud.com/vulnerabilities/71873https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14603http://osvdb.org/77908http://secunia.com/advisories/47237http://twitter.com/w3bd3vil/statuses/148454992989261824http://www.exploit-db.com/exploits/18275http://www.securitytracker.com/id?1026450http://www.us-cert.gov/cas/techalerts/TA12-045A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-008https://exchange.xforce.ibmcloud.com/vulnerabilities/71873https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14603
2011-12-30
Published