MS Windows GDI Exploit
2008-10-04 23:49
260 查看
炒得很火的MS08-021..
最近终于得到了些消息…把我知道的说下….
先说下官方的说法:
Microsoft Security Bulletin MS08-021 – Critical
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
Published: April 8, 2008 | Updated: April 11, 2008
Version: 1.2
General Information
Executive Summary
This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This is a critical security update for Microsoft Windows 2000 Service Pack 4, and all supported releases of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the vulnerability by modifying the way that GDI handles integer calculations and string parameters. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately
我大致翻译下..
Windows 948590补丁包:修补了GDI中的允许远程代码执行的漏洞..(应该是两个漏洞)
这个安全更新修补了两个GDI库中的隐蔽漏洞。如果用户打开一个经过特殊构造的EMF或者是WMF图像格式文件,这两个漏洞中的任何一个都可以允许远程代码的执行…
攻击者可以成功的利用这两个漏洞达到远程控制整个系统的权限,然后安装恶意软件(木马),修改数据等
………………………………省略一段废话
这个安全更新修改了字符串参数和GDI整数计算的处理方式…
在这先说下EMF和WMF的文件格式:
WMF格式
WMF(Windows Metafile Format)是Windows中常见的一种图元文件格式,属于矢量文件格式。它具有文件短小、图案造型化的特点,整个图形常由各个独立的组成部分拼接而成,其图形往往较粗糙。
EMF格式
EMF(Enhanced Metafile)是微软公司为了弥补使用WMF的不足而开发的一种Windows 32位扩展图元文件格式,也属于矢量文件格式,其目的是欲使图元文件更加容易接受。
再说下milw0rm上公布的paper:
EMR_COLORMATCHTOTARGETW stack buffer overflow exploit
By Ac!dDrop
This is one of the 2 Vulnerabilities of MS08-021
Tested on Windows xp professional SP1
GDi32.dll 5.1.2600.1106
kernel32.dll 5.1.2600.1106
ws2_32.dll 5.1.2600.0
calc.zip---> executes calculator
IE.zip and localhost.zip ------> connects at localhost at port 230
On Windows Xp Sp2 only causes Denial of service.
-(Vulnerable function guarded with a GS cookie)
-(The function which copies data to stack has an exception handler which recovers from access violations so u cant exploit it by hitting next page ).
http://milw0rm.com/sploits/2008-Gdi.tgz
# milw0rm.com [2008-10-02]
有点尴尬…
俗话说,能溢出的不一定能利用…
首先,emf和wmf这两种格式的构造文件应该是可以利用的….
但是其它的呢..?
貌似有点问题…
现在milw0rm说应该是不可以的..
就算是能利用,也如上文公布,会有很多的限制问题…
下面关于MS08-021说段搞笑的:
我不晓得为什么出现了这个东西…
我没有发现MS08-052可以利用的地方..
MS08-052可以溢出这个是肯定的,但是利用这个好像我不清楚…
今天0x0c大叔(暂这么称呼某人)也说不可能…
只能说:【E.S.T】的人很神奇..
关于这个GDI的问题,我也没有理明白…
从来没见过利用代码…是不是存在?
今天还开玩笑说:会不会11月的Xcon大会突然有人公布这个…呵呵
微软惯例:
Microsoft thanks the following for working with us to help protect customers:
这些牛人,感谢他们公布..GDI的堆溢出…
敬请期待……………………………………………………………..
最近终于得到了些消息…把我知道的说下….
先说下官方的说法:
Microsoft Security Bulletin MS08-021 – Critical
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
Published: April 8, 2008 | Updated: April 11, 2008
Version: 1.2
General Information
Executive Summary
This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This is a critical security update for Microsoft Windows 2000 Service Pack 4, and all supported releases of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the vulnerability by modifying the way that GDI handles integer calculations and string parameters. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately
我大致翻译下..
Windows 948590补丁包:修补了GDI中的允许远程代码执行的漏洞..(应该是两个漏洞)
这个安全更新修补了两个GDI库中的隐蔽漏洞。如果用户打开一个经过特殊构造的EMF或者是WMF图像格式文件,这两个漏洞中的任何一个都可以允许远程代码的执行…
攻击者可以成功的利用这两个漏洞达到远程控制整个系统的权限,然后安装恶意软件(木马),修改数据等
………………………………省略一段废话
这个安全更新修改了字符串参数和GDI整数计算的处理方式…
在这先说下EMF和WMF的文件格式:
WMF格式
WMF(Windows Metafile Format)是Windows中常见的一种图元文件格式,属于矢量文件格式。它具有文件短小、图案造型化的特点,整个图形常由各个独立的组成部分拼接而成,其图形往往较粗糙。
EMF格式
EMF(Enhanced Metafile)是微软公司为了弥补使用WMF的不足而开发的一种Windows 32位扩展图元文件格式,也属于矢量文件格式,其目的是欲使图元文件更加容易接受。
再说下milw0rm上公布的paper:
EMR_COLORMATCHTOTARGETW stack buffer overflow exploit
By Ac!dDrop
This is one of the 2 Vulnerabilities of MS08-021
Tested on Windows xp professional SP1
GDi32.dll 5.1.2600.1106
kernel32.dll 5.1.2600.1106
ws2_32.dll 5.1.2600.0
calc.zip---> executes calculator
IE.zip and localhost.zip ------> connects at localhost at port 230
On Windows Xp Sp2 only causes Denial of service.
-(Vulnerable function guarded with a GS cookie)
-(The function which copies data to stack has an exception handler which recovers from access violations so u cant exploit it by hitting next page ).
http://milw0rm.com/sploits/2008-Gdi.tgz
# milw0rm.com [2008-10-02]
有点尴尬…
俗话说,能溢出的不一定能利用…
首先,emf和wmf这两种格式的构造文件应该是可以利用的….
但是其它的呢..?
貌似有点问题…
现在milw0rm说应该是不可以的..
就算是能利用,也如上文公布,会有很多的限制问题…
下面关于MS08-021说段搞笑的:
我不晓得为什么出现了这个东西…
我没有发现MS08-052可以利用的地方..
MS08-052可以溢出这个是肯定的,但是利用这个好像我不清楚…
今天0x0c大叔(暂这么称呼某人)也说不可能…
只能说:【E.S.T】的人很神奇..
关于这个GDI的问题,我也没有理明白…
从来没见过利用代码…是不是存在?
今天还开玩笑说:会不会11月的Xcon大会突然有人公布这个…呵呵
微软惯例:
Microsoft thanks the following for working with us to help protect customers:
• | Jun Mao of iDefense Labs for reporting the GDI Heap Overflow Vulnerability (CVE-2008-1083). |
• | Sebastian Apelt of Zero Day Initiative for reporting the GDI Heap Overflow Vulnerability (CVE-2008-1083). |
• | Thomas Garnier of SkyRecon for reporting the GDI Heap Overflow Vulnerability (CVE-2008-1083). |
• | Yamata Li of Palo Alto Networks for reporting the GDI Stack and Heap Overflow Vulnerabilities (CVE-2008-1087 and CVE-2008-1083). |
敬请期待……………………………………………………………..
相关文章推荐
- MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2
- MS Windows GDI Local Privilege Escalation Exploit
- MS Windows GDI+ Proof of Concept (MS08-052) #2
- MS Windows NetpIsRemote() Remote Overflow Exploit (MS06-040)
- MS Windows DNS RPC Remote Buffer Overflow Exploit (win2k SP4)
- MS Windows GDI+ Proof of Concept (MS08-052) #2
- MS Windows Telephony Service Command Execution Exploit (MS05-040)
- MS Windows Explorer.exe Gif Image Denial of Service Exploit
- September Patch To Fix Windows GDI Exploit and More
- Windows GDI贴图闪烁解决方法 [转载]
- Microsoft Windows "keybd_event" Local Privilege Escalation Exploit
- Windows RPC DCOM Remote Exploit with 48
- Windows GDI和GDI+编程实例剖析[转]
- 戏说 Windows GDI (2)
- Windows GDI和GDI+编程实例剖析(1)
- Windows GDI绘图-入门篇
- Windows GDI和GDI+编程实例剖析(3)
- Windows/MS-Office/IE 最新严重漏洞下载 (2009/09/14~2010/02/10)
- Visual C++程序设计中Windows GDI贴图闪烁的解决方法
- 《Windows程序设计-第二版》第四章最后一个04Clock大例子中的GDI句柄泄漏问题