Vulnerabilities > CVE-2005-2123 - Unspecified vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
NVD
Published: 2005-11-29
Updated: 2018-10-12

Summary

Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.

Vulnerable Configurations

Part Description Count
OS
Microsoft
9

Exploit-Db

descriptionMS Windows Metafile (mtNoObjects) Denial of Service Exploit (MS05-053). CVE-2005-0803,CVE-2005-2123,CVE-2005-2124. Dos exploit for windows platform
idEDB-ID:1346
last seen2016-01-31
modified2005-11-30
published2005-11-30
reporterWinny Thomas
sourcehttps://www.exploit-db.com/download/1346/
titleMicrosoft Windows Metafile - mtNoObjects Denial of Service Exploit MS05-053

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS05-053.NASL
descriptionThe remote host contains a version of Microsoft Windows missing a critical security update to fix several vulnerabilities in the Graphic Rendering Engine, and in the way Windows handles Metafiles. An attacker could exploit these flaws to execute arbitrary code on the remote host by sending a specially crafted Windows Metafile (WMF) or Enhanced Metafile (EMF) to a victim on the remote host. When viewing the malformed file, a buffer overflow condition occurs that may allow the execution of arbitrary code with the privileges of the user.
last seen2020-06-01
modified2020-06-02
plugin id20172
published2005-11-08
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20172
titleMS05-053: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(20172);
 script_version("1.39");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2005-2123", "CVE-2005-2124", "CVE-2005-0803");
 script_bugtraq_id (15352,15356);
 script_xref(name:"MSFT", value:"MS05-053");
 script_xref(name:"CERT", value:"134756");
 script_xref(name:"CERT", value:"300549");
 script_xref(name:"CERT", value:"433341");
 script_xref(name:"EDB-ID", value:"1343");
 script_xref(name:"EDB-ID", value:"25231");
 script_xref(name:"MSKB", value:"896424");

 script_name(english:"MS05-053: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)");
 script_summary(english:"Determines the presence of update 896424");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host by sending a
malformed file to a victim.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of Microsoft Windows missing a
critical security update to fix several vulnerabilities in the Graphic
Rendering Engine, and in the way Windows handles Metafiles.

An attacker could exploit these flaws to execute arbitrary code on the
remote host by sending a specially crafted Windows Metafile (WMF) or
Enhanced Metafile (EMF) to a victim on the remote host.  When viewing
the malformed file, a buffer overflow condition occurs that may allow
the execution of arbitrary code with the privileges of the user.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-053");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP SP2 and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Mozilla Firefox Interleaved document.write/appendChild Memory Corruption');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/17");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/11/08");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/11/08");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-053';
kb = '896424';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"gdi32.dll", version:"5.2.3790.419", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"gdi32.dll", version:"5.2.3790.2542", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"gdi32.dll", version:"5.1.2600.1755", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"gdi32.dll", version:"5.1.2600.2770", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0",       file:"gdi32.dll", version:"5.0.2195.7069", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2011-05-16T04:00:15.176-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameAnna Min
      organizationBigFix, Inc
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.
    familywindows
    idoval:org.mitre.oval:def:1063
    statusaccepted
    submitted2005-11-09T12:00:00.000-04:00
    titleWMF Rendering Code Execution Vulnerability (Windows 2000)
    version70
  • accepted2011-05-16T04:00:27.415-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.
    familywindows
    idoval:org.mitre.oval:def:1175
    statusaccepted
    submitted2005-11-09T12:00:00.000-04:00
    titleWMF Rendering Code Execution Vulnerability (32-bit Windows XP,SP2)
    version70
  • accepted2011-05-16T04:00:43.924-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.
    familywindows
    idoval:org.mitre.oval:def:1263
    statusaccepted
    submitted2005-11-09T12:00:00.000-04:00
    titleWMF Rendering Code Execution Vulnerability (64-bit Windows XP and Server 2003,Unpatched)
    version70
  • accepted2011-05-16T04:01:17.604-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameMike Lah
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.
    familywindows
    idoval:org.mitre.oval:def:1546
    statusaccepted
    submitted2005-11-09T12:00:00.000-04:00
    titleWMF Rendering Code Execution Vulnerability (32-bit Windows XP,SP1)
    version70
  • accepted2011-05-16T04:03:22.258-04:00
    classvulnerability
    contributors
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMultiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.
    familywindows
    idoval:org.mitre.oval:def:701
    statusaccepted
    submitted2005-11-09T12:00:00.000-04:00
    titleWMF Rendering Code Execution Vulnerability (64-bit Windows XP and Server 2003,SP1)
    version69

References