CVE-2017-0005
published 2017-03-17CVE-2017-0005: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold…
PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
11.02%
95.4th percentile
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | windows_gdi | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The CVE-2017-0005 exploit (Jian/EpMe) uses a multi-staged packer that is shared across multiple Chinese APT exploit samples including CVE-2019-0803; hunting for this packer pattern can identify related samples. ↗
- →Both CVE-2017-0005 and CVE-2019-0803 exploit loaders use PAGE_EXECUTE_READWRITE memory allocation; this memory protection flag in the context of GDI exploitation can be a behavioral detection signal. ↗
- →The exploit loader exports a function named 'AddByGod' and is invoked via rundll32.exe; monitoring rundll32.exe execution with non-standard export names is a detection opportunity. ↗
- →ZIRCONIUM (APT31) uses AES256 with a SHA1-derived key to decrypt exploit code; detecting AES256/SHA1 key derivation patterns in shellcode or loaders may identify this family.
- →When ignoring ASLR (random page allocation), both the Microsoft-documented sample and the analyzed sample use the same lower 3 nibbles of addresses; this address pattern consistency can assist in memory forensics or crash dump analysis. ↗
- ·The CVE-2017-0005 exploit (Jian) is a Local Privilege Escalation; an attacker must already have local logon access to the system before exploitation is possible. ↗
- ·The exploit targets GDI object handling in memory across a wide range of Windows versions (Vista SP2 through Windows 10 1607); detection rules should account for all affected OS versions. ↗
- ·Multiple malware families attributed exclusively to Chinese-affiliated groups have used the same packer variant over many years; the packer alone is not sufficient to attribute to a specific campaign without additional context. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4vm3-h9r2-w6h6: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0047 [HIGH] GHSA-4vm3-h9r2-w6h6: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0005 and CVE-2017-0025.
GHSA
GHSA-8w8f-9j37-53m3: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0005 [HIGH] CWE-119 GHSA-8w8f-9j37-53m3: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047.
GHSA
GHSA-675h-vwc7-whcj: The kernel-mode drivers in Microsoft Windows Vista; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0025 [HIGH] GHSA-675h-vwc7-whcj: The kernel-mode drivers in Microsoft Windows Vista; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The kernel-mode drivers in Microsoft Windows Vista; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0005, and CVE-2017-0047.
GHSA
GHSA-3jwp-gjhp-77f3: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-0001 [HIGH] GHSA-3jwp-gjhp-77f3: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0005, CVE-2017-0025, and CVE-2017-0047.
VulnCheck
Microsoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-0005 [HIGH] CWE-119 Microsoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability
Microsoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability
The Graphics Device Interface (GDI) in Microsoft Windows allows local users to gain privileges via a crafted application.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2017-Mar; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/; https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains; https://research.checkpoint.com/2021/the-story-of-jian/; https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equati
CISA
Microsoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability
cisa·2022-05-24·CVSS 7.8
CVE-2017-0005 [HIGH] CWE-119 Microsoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Graphics Device Interface (GDI) Privilege Escalation Vulnerability
Affected: Microsoft Windows
The Graphics Device Interface (GDI) in Microsoft Windows allows local users to gain privileges via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0005
Remediation Due Date: 2022-06-14
Microsoft
Windows GDI Elevation of Privilege Vulnerability
vendor_msrc·2017-03-14·CVSS 7.0
CVE-2017-0005 [HIGH] Windows GDI Elevation of Privilege Vulnerability
Windows GDI Elevation of Privilege Vulnerability
Description: An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation.
FAQ:
No detection rules found.
No public exploits indexed.
Checkpoint
The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
blogs_checkpoint·2021-02-22
CVE-2017-0005 The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
Research by: Eyal Itkin and Itay Cohen
There is a theory which states that if anyone will ever manage to steal
Microsoft
Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005 | Microsoft Security Blog
blogs_microsoft·2017-03-27·CVSS 7.8
[HIGH] Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005 | Microsoft Security Blog
Research
March 27, 2017
## Related posts
April 22, 2024
October 25, 2023
September 14, 2023
## Get started with Microsoft Security
Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.
Connect with us on social
Careers
About Microsoft
Company news
Privacy at Microsoft
Investors
Diversity and inclusion
Accessibility
Sustainability
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
# March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro
2017/03/15
Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB). This vulnerability potentially allows cyber criminals to render affected system
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Ausnutzung von Schwachstellen
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Sfruttamento vulnerabilità
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits y vulnerabilidades
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected s
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro 2017/03/15 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected syst
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Qualys
Massive Microsoft Patch Tuesday Security Update for March
blogs_qualys·2017-03-14·CVSS 7.8
[HIGH] Massive Microsoft Patch Tuesday Security Update for March
Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities. Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture. But the Microsoft blog here , allude that sometime in the future Microsoft will stop publishing security bulletins.
The highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote
Qualys
Massive Microsoft Patch Tuesday Security Update for March | Qualys
blogs_qualys·2017-03-14·CVSS 7.8
[HIGH] Massive Microsoft Patch Tuesday Security Update for March | Qualys
Today Microsoft released a massive Patch Tuesday security update consisting of 17 security bulletins that fixed a total of 134 vulnerabilities. Out of the 17 security bulletins 8 were marked as Critical which could lead to remote code execution while the remaining were marked as Important. Since there were no patches released for February, in one way, a massive update was expected this month. We also liked the fact that Microsoft kept the older way of clubbing KB articles and patches in security bulletins which, in our opinion, is easy to read and provides better overall picture. But the Microsoft blog here, allude that sometime in the future Microsoft will stop publishing security bulletins.
The highest priority overall goes to the Windows GDI bulletin MS17-013 which could allow remote c
Threat Intel
ZIRCONIUM (ZIRCONIUM, APT31, Violet Typhoon)
threat_intel
ZIRCONIUM (ZIRCONIUM, APT31, Violet Typhoon)
# Threat Actor Profile: ZIRCONIUM
ATT&CK ID: G0128
Also known as: ZIRCONIUM, APT31, Violet Typhoon
Suspected origin: China
## Overview
ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)
## Techniques (TTPs)
### Reconnaissance
- T1598 Phishing for Information
Usage: ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.(Citation: Google Election Threats October 2020)
- T1598.003 Spearphishing Link
Usage: ZIRCONIUM has used web beacons in e-mails to track hits to attacker-controlled URL's.(Citat
Bugzilla
CVE-2017-2641 CVE-2017-2643 CVE-2017-2644 CVE-2017-2645 moodle: Multiple security vulnerabilities
bugzilla·2017-03-22·CVSS 9.8
CVE-2017-2641 [CRITICAL] CVE-2017-2641 CVE-2017-2643 CVE-2017-2644 CVE-2017-2645 moodle: Multiple security vulnerabilities
CVE-2017-2641 CVE-2017-2643 CVE-2017-2644 CVE-2017-2645 moodle: Multiple security vulnerabilities
Multiple security issues were fixed in the latest moodle release.
MSA-17-0005: SQL injection via user preferences
MSA-17-0007: Global search displays user names for unauthenticated users
MSA-17-0008: XSS in evidence of prior learning
MSA-17-0009: XSS in attachments to evidence of prior learning
References:
https://moodle.org/mod/forum/discuss.php?d=349027#p1408104
Discussion:
Created moodle tracking bugs for this issue:
Affects: epel-7 [bug 1434721]
Affects: fedora-all [bug 1434720]
http://www.securityfocus.com/bid/96033http://www.securitytracker.com/id/1038002https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0005http://www.securityfocus.com/bid/96033http://www.securitytracker.com/id/1038002https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0005https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0005
2017-03-17
Published
2022-05-24
Added to CISA KEV
Exploited in the wild