Vulnerabilities > CVE-2007-3034 - Numeric Errors vulnerability in Microsoft products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-189
critical
nessus
exploit available
NVD
Published: 2007-08-14
Updated: 2019-02-26

Summary

Integer overflow in the AttemptWrite function in Graphics Rendering Engine (GDI) on Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted metafile (image) with a large record length value, which triggers a heap-based buffer overflow.

Vulnerable Configurations

Part Description Count
OS
Microsoft
6

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionMS Windows (GDI32.DLL) Denial of Service Exploit (MS07-046). CVE-2007-3034. Dos exploit for windows platform
idEDB-ID:4337
last seen2016-01-31
modified2007-08-29
published2007-08-29
reporterGil-Dong / Woo-Chi
sourcehttps://www.exploit-db.com/download/4337/
titleMicrosoft Windows - GDI32.DLL Denial of Service Exploit MS07-046

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS07-046.NASL
descriptionThe remote host contains a version of Microsoft Windows that has several vulnerabilities in the Graphic Rendering Engine and in the way Windows handles Metafiles. An attacker may exploit these flaws to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need to send a specially crafted image to a user on the remote host, or lure him into visiting a rogue website containing such a file.
last seen2020-06-01
modified2020-06-02
plugin id25884
published2007-08-14
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25884
titleMS07-046: Vulnerability in GDI Could Allow Remote Code Execution (938829)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(25884);
 script_version("1.30");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2007-3034");
 script_bugtraq_id(25302);
 script_xref(name:"MSFT", value:"MS07-046");
 script_xref(name:"MSKB", value:"938829");
 
 script_xref(name:"CERT", value:"640136");

 script_name(english:"MS07-046: Vulnerability in GDI Could Allow Remote Code Execution (938829)");
 script_summary(english:"Determines the presence of update 938829");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host by sending a
malformed file to a victim.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of Microsoft Windows that has
several vulnerabilities in the Graphic Rendering Engine and in the way
Windows handles Metafiles.

An attacker may exploit these flaws to execute arbitrary code on the
remote host.  To exploit this flaw, an attacker would need to send a
specially crafted image to a user on the remote host, or lure him into
visiting a rogue website containing such a file.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-046");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, 2003 and
Vista.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(189);

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/08/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/08/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/08/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-046';
kb = '938829';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"gdi32.dll", version:"5.2.3790.2960", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"gdi32.dll", version:"5.1.2600.3159", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0",       file:"gdi32.dll", version:"5.0.2195.7138", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2011-05-09T04:01:26.447-04:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameJeff Cheng
    organizationOpsware, Inc.
  • nameJeff Cheng
    organizationOpsware, Inc.
  • nameJeff Cheng
    organizationOpsware, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
  • commentMicrosoft Windows XP SP1 (64-bit) is installed
    ovaloval:org.mitre.oval:def:480
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows Server 2003 SP1 for Itanium is installed
    ovaloval:org.mitre.oval:def:1205
descriptionInteger overflow in the AttemptWrite function in Graphics Rendering Engine (GDI) on Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted metafile (image) with a large record length value, which triggers a heap-based buffer overflow.
familywindows
idoval:org.mitre.oval:def:2088
statusaccepted
submitted2007-08-15T09:28:35
titleRemote Code Execution Vulnerability in GDI
version73

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 25302 CVE(CAN) ID: CVE-2007-3034 Microsoft Windows是微软发布的非常流行的操作系统。 Windows的图形设备接口(GDI)的GDI32函数AttemptWrite处理Windows元文件时可能会出现整数溢出,远程攻击者可能利用此漏洞提升自己的权限。 如下反汇编所示,很多GDI32 API函数都会调用AttemptWrite,如CreateMetaFileW。 77F4B519 mov esi, [ebp+0Ch] ; reported size of record in bytes ... ; (user-controlled) 77F4B548 mov eax, [ebx+0Ch] ; amount of buffer used in bytes ; (user-controlled) 77F4B548 lea ecx, [eax+esi] ; *** integer overflow *** 77F4B54E cmp ecx, [ebx+08h] ; buffer capacity 77F4B551 ja _no_memcpy ... 77F4B56D mov edi, [ebx] ; pointer to start of buffer 77F4B56F mov ecx, esi 77F4B574 add edi, eax ; now EDI points to unused buffer space ... 77F4B5BA mov eax, ecx 77F4B5BC shr ecx, 2 77F4B5BF rep movsd ; *** complete heap overwrite *** 如果创建了包含有超大记录长度的元文件就会触发堆溢出,因为memcpy试图将大约4GB的任意数据拷贝到堆块。这个拷贝大小会导致访问破坏,但在可以处理这种异常的程序中会导致执行任意指令。 Microsoft Windows XP SP2 Microsoft Windows Server 2003 x64 Edition Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 Microsoft --------- Microsoft已经为此发布了一个安全公告(MS07-046)以及相应补丁: MS07-046:Vulnerability in GDI Could Allow Remote Code Execution (938829) 链接:<a href="http://www.microsoft.com/technet/security/Bulletin/MS07-046.mspx?pf=true" target="_blank">http://www.microsoft.com/technet/security/Bulletin/MS07-046.mspx?pf=true</a>
idSSV:2122
last seen2017-11-19
modified2007-08-17
published2007-08-17
reporterRoot
titleMicrosoft Windows GDI AttemptWrite函数远程堆溢出漏洞(MS07-046)

References