cbcvebase.
CVE-2017-0005
published 2017-03-17

CVE-2017-0005: The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold…

PriorityP180high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
11.02%
95.4th percentile
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka "Windows GDI Elevation of Privilege Vulnerability." This vulnerability is different from those described in CVE-2017-0001, CVE-2017-0025, and CVE-2017-0047.

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
microsoft_corporationwindows_gdi
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_10_version_1607
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_server_2016
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

pathF:\code\2015\rundll32_getadmin\Add\x64\Release\Add.pdb
commandrundll32.exe Add.dll AddByGod [password]
  • The CVE-2017-0005 exploit (Jian/EpMe) uses a multi-staged packer that is shared across multiple Chinese APT exploit samples including CVE-2019-0803; hunting for this packer pattern can identify related samples.
  • Both CVE-2017-0005 and CVE-2019-0803 exploit loaders use PAGE_EXECUTE_READWRITE memory allocation; this memory protection flag in the context of GDI exploitation can be a behavioral detection signal.
  • The exploit loader exports a function named 'AddByGod' and is invoked via rundll32.exe; monitoring rundll32.exe execution with non-standard export names is a detection opportunity.
  • ZIRCONIUM (APT31) uses AES256 with a SHA1-derived key to decrypt exploit code; detecting AES256/SHA1 key derivation patterns in shellcode or loaders may identify this family.
  • When ignoring ASLR (random page allocation), both the Microsoft-documented sample and the analyzed sample use the same lower 3 nibbles of addresses; this address pattern consistency can assist in memory forensics or crash dump analysis.
  • ·The CVE-2017-0005 exploit (Jian) is a Local Privilege Escalation; an attacker must already have local logon access to the system before exploitation is possible.
  • ·The exploit targets GDI object handling in memory across a wide range of Windows versions (Vista SP2 through Windows 10 1607); detection rules should account for all affected OS versions.
  • ·Multiple malware families attributed exclusively to Chinese-affiliated groups have used the same packer variant over many years; the packer alone is not sufficient to attribute to a specific campaign without additional context.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.