Vulnerabilities > CVE-2009-3126 - Numeric Errors vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted PNG image file, aka "GDI+ PNG Integer Overflow Vulnerability."

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS09-062
bulletin_url
date2009-10-13T00:00:00
impactRemote Code Execution
knowledgebase_id957488
knowledgebase_url
severityCritical
titleVulnerabilities in GDI+ Could Allow Remote Code Execution

Nessus

  • NASL familyWindows
    NASL idSMB_KB957488.NASL
    descriptionThe remote host has a version of SQL Server that may host the RSClientPrint ActiveX control that includes a copy of gdiplus.dll that is affected by multiple buffer overflow vulnerabilities when viewing TIFF, PNG, BMP, and Office files that could allow an attacker to execute arbitrary code on the remote host. Additionally, there is a GDI+ .NET API vulnerability that allows a malicious .NET application to gain unmanaged code execution privileges. To exploit these flaws, an attacker would need to send a malformed image file to a user on the remote host and wait for them to open it using an affected Microsoft application.
    last seen2020-06-01
    modified2020-06-02
    plugin id72908
    published2014-03-10
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72908
    titleMS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(72908);
      script_version("1.9");
      script_cvs_date("Date: 2018/11/15 20:50:28");
    
      script_cve_id(
        "CVE-2009-2500",
        "CVE-2009-2501",
        "CVE-2009-2502",
        "CVE-2009-2503",
        "CVE-2009-2504",
        "CVE-2009-2518",
        "CVE-2009-2528",
        "CVE-2009-3126"
      );
      script_bugtraq_id(
        36619,
        36645,
        36646,
        36647,
        36648,
        36649,
        36650,
        36651
      );
      script_xref(name:"MSFT", value:"MS09-062");
      script_xref(name:"IAVA", value:"2009-A-0099");
      script_xref(name:"MSKB", value:"957488");
    
      script_name(english:"MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) (uncredentialed check)");
      script_summary(english:"Checks the version of gdiplus.exe");
    
      script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host through the Microsoft
    GDI rendering engine.");
      script_set_attribute(attribute:"description", value:
    "The remote host has a version of SQL Server that may host the
    RSClientPrint ActiveX control that includes a copy of gdiplus.dll that
    is affected by multiple buffer overflow vulnerabilities when viewing
    TIFF, PNG, BMP, and Office files that could allow an attacker to execute
    arbitrary code on the remote host.  Additionally, there is a GDI+ .NET
    API vulnerability that allows a malicious .NET application to gain
    unmanaged code execution privileges. 
    
    To exploit these flaws, an attacker would need to send a malformed image
    file to a user on the remote host and wait for them to open it using an
    affected Microsoft application.");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-062");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for SQL Server 2000 and
    2005.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(94, 119, 189);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/10");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
    
      script_dependencies("mssqlserver_detect.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports(1433, "Services/mssql");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    port = get_service(svc:"mssql", exit_on_fail:TRUE);
    
    ver = get_kb_item("MSSQL/" + port + "/Version");
    if (!ver) audit(AUDIT_SERVICE_VER_FAIL,"MSSQL", port);
    
    v = split(ver, sep:".", keep:FALSE);
    for (i=0; i < max_index(v); i++)
      v[i] = int(v[i]);
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    pcidss = get_kb_item("Settings/PCI_DSS");
    
    if (
      # 2000 < SP2
      (pcidss && (v[0] == 8 && v[1] == 0 && v[2] < 534)) ||
      # 2000 SP2
      (v[0] == 8 && v[1] == 0 && (v[2] >= 1038 && v[2] < 1067)) ||
      # 2005 < SP2
      (pcidss && (v[0] == 9 && v[1] == 0 && v[2] < 3042)) ||
      # 2005 SP2 GDR
      (v[0] == 9 && v[1] == 0 && (v[2] >= 3000 && v[2] < 3080)) ||
      # 2005 SP2 QFE
      (v[0] == 9 && v[1] == 0 && (v[2] >= 3200 && v[2] < 3353)) ||
      # 2005 SP3 GDR
      (v[0] == 9 && v[1] == 0 && v[2] >= 4035 && v[2] < 4053) ||
      # 2005 SP3 QFE
      (v[0] == 9 && v[1] == 0 && v[2] >= 4200 && v[2] < 4262)
    )
    {
      security_hole(port);
      exit(0);
    }
    audit(AUDIT_INST_VER_NOT_VULN, "MSSQL", ver);
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS09-062.NASL
    descriptionThe remote host is running a version of Windows that is affected by multiple buffer overflow vulnerabilities when viewing TIFF, PNG, BMP, and Office files that could allow an attacker to execute arbitrary code on the remote host. Additionally, there is a GDI+ .NET API vulnerability that allows a malicious .NET application to gain unmanaged code execution privileges. To exploit these flaws, an attacker would need to send a malformed image file to a user on the remote host and wait for them to open it using an affected Microsoft application.
    last seen2020-06-01
    modified2020-06-02
    plugin id42118
    published2009-10-15
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42118
    titleMS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42118);
      script_version("1.40");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id(
        "CVE-2009-2500",
        "CVE-2009-2501",
        "CVE-2009-2502",
        "CVE-2009-2503",
        "CVE-2009-2504",
        "CVE-2009-2518",
        "CVE-2009-2528",
        "CVE-2009-3126"
      );
      script_bugtraq_id(
        36619,
        36645,
        36646,
        36647,
        36648,
        36649,
        36650,
        36651
      );
      script_xref(name:"IAVA", value:"2009-A-0099");
      script_xref(name:"MSFT", value:"MS09-062");
      script_xref(name:"MSKB", value:"958869");
      script_xref(name:"MSKB", value:"970894");
      script_xref(name:"MSKB", value:"970899");
      script_xref(name:"MSKB", value:"971022");
      script_xref(name:"MSKB", value:"971023");
      script_xref(name:"MSKB", value:"971104");
      script_xref(name:"MSKB", value:"972221");
      script_xref(name:"MSKB", value:"972580");
      script_xref(name:"MSKB", value:"972581");
      script_xref(name:"MSKB", value:"974811");
      script_xref(name:"MSKB", value:"975365");
    
      script_name(english:"MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)");
      script_summary(english:"Checks the version of gdiplus.exe");
    
      script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host through the
    Microsoft GDI rendering engine.");
      script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Windows that is affected by
    multiple buffer overflow vulnerabilities when viewing TIFF, PNG, BMP,
    and Office files that could allow an attacker to execute arbitrary
    code on the remote host. Additionally, there is a GDI+ .NET API
    vulnerability that allows a malicious .NET application to gain
    unmanaged code execution privileges.
    
    To exploit these flaws, an attacker would need to send a malformed
    image file to a user on the remote host and wait for them to open it
    using an affected Microsoft application.");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-062");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows XP, 2003, Vista,
    2008, IE, .NET Framework, Office, SQL Server, Developer Tools, and
    Forefront.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_cwe_id(94, 119, 189);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/10/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/10/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint_viewer");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visio");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word_viewer");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:works");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "mssql_version.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS09-062';
    kbs = make_list("958869", "970894", "970899", "971022", "971023", "971104", "972221", "972580", "972581", "974811", "975365");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(xp:'2,3', win2003:'2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    login   =  kb_smb_login();
    pass    =  kb_smb_password();
    domain  =  kb_smb_domain();
    port    =  kb_smb_transport();
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");
    
    hcf_init = TRUE;
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    vuln = 0;
    path = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:rootfile);
    office_versions = hotfix_check_office_version ();
    office_sp = get_kb_item("SMB/Office/SP");
    ver_list = get_kb_list("mssql/installs/*/SQLVersion");
    visiopaths = get_kb_item("SMB/Office/Visio/*/VisioPath");
    progfiles = hotfix_get_programfilesdir();
    cdir = hotfix_get_commonfilesdir();
    
    # Look in the registry for install info on a few of the apps being tested
    rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
    if (rc != 1)
    {
      NetUseDel();
      audit(AUDIT_SHARE_FAIL, "IPC$");
    }
    
    hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
    if (isnull(hklm))
    {
      NetUseDel();
      audit(AUDIT_REG_FAIL);
    }
    
    # Detect Visual Studio 2005 installs
    key = "SOFTWARE\Microsoft\VisualStudio\8.0";
    key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
    if (!isnull(key_h))
    {
      item = RegQueryValue(handle:key_h, item:"InstallDir");
      if (!isnull(item))
      {
        vs2005_path = item[1];
        vs2005_root = ereg_replace(
          pattern:"^(.+)\\Common7\\IDE\\$", replace:"\1", string:vs2005_path,
          icase:TRUE
        );
      }
    
      RegCloseKey(handle:key_h);
    }
    
    # Detect Visual FoxPro installs
    vfp8key = "SOFTWARE\Microsoft\VisualFoxPro\8.0\Setup\VFP";
    vfp8key_h = RegOpenKey(handle:hklm, key:vfp8key, mode:MAXIMUM_ALLOWED);
    if (!isnull(vfp8key_h))
    {
      item = RegQueryValue(handle:vfp8key_h, item:"ProductDir");
      if (!isnull(item)) vfp8_path = item[1];
    
      RegCloseKey(handle:vfp8key_h);
    }
    
    vfp9key = "SOFTWARE\Microsoft\VisualFoxPro\9.0\Setup\VFP";
    vfp9key_h = RegOpenKey(handle:hklm, key:vfp9key, mode:MAXIMUM_ALLOWED);
    if (!isnull(vfp9key_h))
    {
      item = RegQueryValue(handle:vfp9key_h, item:"ProductDir");
      if (!isnull(item)) vfp9_path = item[1];
    
      RegCloseKey(handle:vfp9key_h);
    }
    
    RegCloseKey(handle:hklm);
    NetUseDel(close:FALSE);
    
    r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
    if ( r != 1 )
    {
      NetUseDel();
      audit(AUDIT_SHARE_FAIL, share);
    }
    
    
    # IE 6 on Windows 2000 SP4 (KB958869)
    if (hotfix_is_vulnerable(os:"5.0", file:"Vgx.dll", version:"6.0.2800.1637", min_version:"6.0.0.0", dir:"\Microsoft Shared\VGX", path:cdir, bulletin:bulletin, kb:'958869'))
    {
      vuln++;
    }
    
    # Visio 2002 (KB975365)
    if (!isnull(visiopaths))
    {
      foreach visiopath (keys(visiopaths))
      {
        if ("10.0" >< visiopath)
        {
          if (hotfix_is_vulnerable(file:"visio.exe", version:"10.0.6885.4", min_version:"10.0.0.0", path:visiopath, dir:"\Visio10", bulletin:bulletin, kb:'975365'))
            vuln++;
        }
      }
    }
    
    msoxp_path = cdir + "\Microsoft Shared\Office10";
    
    # The fixes for Office XP SP3 and Visual Studio.NET SP1 both update the same
    # exact file.  The Office fix supersedes the VS .NET fix.
    if (office_versions["10.0"])
    {
      office_sp = get_kb_item("SMB/Office/XP/SP");
      if (!isnull(office_sp) && office_sp == 3)
      {
        # Office XP SP3 (KB974811)
        if(hotfix_is_vulnerable(file:"mso.dll", version:"10.0.6856.0", path:msoxp_path, bulletin:bulletin, kb:'974811'))
        {
          vuln++;
        }
      }
    }
    else
    {
      # Visual Studio .NET 2003 SP1 (KB971022).  The 'min_version' arg is used to
      # prevent from firing on Office XP < SP3
      if(hotfix_is_vulnerable(file:"mso.dll", version:"10.0.6855.0",   min_version:"10.0.6802.0", path:msoxp_path, bulletin:bulletin, kb:'971022'))
      {
        vuln++;
      }
    }
    
    # Office 2003 SP3 (KB972580)
    if (office_versions["11.0"])
    {
      office_sp = get_kb_item("SMB/Office/2003/SP");
      if (!isnull(office_sp) && office_sp == 3)
      {
        path = hotfix_get_officeprogramfilesdir(officever:"11.0") + "\Microsoft Office\OFFICE11";
    
        if (hotfix_is_vulnerable(file:"Gdiplus.dll", version:"11.0.8312.0",       min_version:"11.0.0.0", path:path, bulletin:bulletin, kb:'972580'))
        {
          vuln++;
        }
      }
    }
    
    # Office 2007 SP1 and SP2 (KB972581)
    if (office_versions["12.0"])
    {
      office_sp = get_kb_item("SMB/Office/2007/SP");
      if (!isnull(office_sp) && (office_sp == 1 || office_sp == 2))
      {
        path = hotfix_get_commonfilesdir() + "\Microsoft Shared\OFFICE12";
    
        if (hotfix_is_vulnerable(file:"Ogl.dll", version:"12.0.6509.5000", path:path, bulletin:bulletin, kb:'972581'))
        {
          vuln++;
        }
      }
    }
    
    # Visual FoxPro and the .NET Framework are only vulnerable on Windows 2000
    if (hotfix_check_sp(win2k:6) > 0)
    {
      if (
        # Visual FoxPro 8.0 SP1 (KB971104)
        hotfix_is_vulnerable(path:vfp8_path, file:"gdiplus.dll", version:"5.2.6001.22319", bulletin:bulletin, kb:'971104') ||
    
        # Visual FoxPro 9.0 SP2 (KB971105)
        hotfix_is_vulnerable(path:vfp9_path, file:"gdiplus.dll", version:"5.2.6001.22319", bulletin:bulletin, kb:'971105') ||
    
        # .NET Framework 1.1 SP1 (KB971108)
        hotfix_is_vulnerable(dir:"\Microsoft.Net\Framework\v1.1.4322", file:"gdiplus.dll", version:"5.2.6001.22319", min_version:"5.1.3102.1360", bulletin:bulletin, kb:'971108') ||
    
        # .NET Framework 2.0 SP1 (KB971110) and SP2 (KB971111)
        hotfix_is_vulnerable(dir:"\Microsoft.Net\Framework\v2.0.50727", file:"gdiplus.dll", version:"5.2.6001.22319", min_version:"5.1.3102.1355", bulletin:bulletin, kb:'971110')
      )
      {
        vuln++;
      }
    }
    
    # Visual Studio 2005 SP1 (KB971023)
    if (vs2005_root)
    {
      path = vs2005_root + '\\SDK\\v2.0\\BootStrapper\\Packages\\ReportViewer';
    
      if (hotfix_is_vulnerable(file:"reportviewer.exe", version:"2.0.50727.4401", min_version:"2.0.50727.0", path:path, bulletin:bulletin, kb:'971023'))
      {
        vuln++;
      }
    }
    
    # Visual Studio 2008
    if (progfiles)
    {
      path = progfiles + '\\Microsoft SDKs\\Windows\\v6.0A\\Bootstrapper\\Packages\\ReportViewer';
    
      if (
        # Visual Studio 2008 (KB972221)
        hotfix_is_vulnerable(file:"reportviewer.exe", version:"9.0.21022.227", min_version:"9.0.21022.0", path:path, bulletin:bulletin, kb:'972221') ||
    
        # Visual Studio 2008 SP1 (KB972222)
        hotfix_is_vulnerable(file:"reportviewer.exe", version:"9.0.30729.4402", min_version:"9.0.30729.0", path:path, bulletin:bulletin, kb:'972222')
      )
      {
        vuln++;
      }
    }
    
    foreach item (keys(ver_list))
    {
      item -= 'mssql/installs/';
      item -= '/SQLVersion';
      sqlpath = item;
    
      share = hotfix_path2share(path:sqlpath);
      if (!is_accessible_share(share:share)) continue;
    
      version = get_kb_item("mssql/installs/" + sqlpath + "/SQLVersion");
    
      if(version !~ "^9\.00\.")
        continue;
    
      sqledition = get_kb_item("mssql/installs/" + sqlpath + "/edition_type");
      if(isnull(sqledition))
        sqledition = get_kb_item("mssql/installs/" + sqlpath + "/edition");
    
      # SQL server 2005 (excluding Express Edition)
      if (
        sqlpath &&
        sqledition && "Express" >!< sqledition && "Internal" >!< sqledition &&
    
        (
        # SP3 (KB970892 & KB970894)
        hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2005.90.4262.0", min_version:"2005.90.4200.0", bulletin:bulletin, kb:'970894') ||
        hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2005.90.4053.0", min_version:"2005.90.4000.0", bulletin:bulletin, kb:'970892') ||
    
        # SP2 (KB970895 & KB970896)
        hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2005.90.3353.0", min_version:"2005.90.3200.0", bulletin:bulletin, kb:'970896') ||
        hotfix_is_vulnerable(path:sqlpath, file:"Sqlservr.exe", version:"2005.90.3080.0", min_version:"2005.90.3000.0", bulletin:bulletin, kb:'970895')
        )
      )
      {
        vuln++;
      }
    }
    
    foreach item (keys(ver_list))
    {
      item -= 'mssql/installs/';
      item -= '/SQLVersion';
      sqlpath = item;
    
      share = hotfix_path2share(path:sqlpath);
      if (!is_accessible_share(share:share)) continue;
    
      version = get_kb_item("mssql/installs/" + sqlpath + "/SQLVersion");
      if(version !~ "^8\.")
        continue;
    
      # SQL server 2000 reporting services SP2 (KB970899)
      if (sqlpath)
      {
        sqlsrs_path = ereg_replace(
          pattern:"^(.*)\\Binn\\?",
          replace:"\1\Reporting Services\ReportServer\bin",
          string:sqlpath,
          icase:TRUE
        );
        if (hotfix_is_vulnerable(path:sqlsrs_path, file:"ReportingServicesLibrary.dll", version:"8.0.1067.0", bulletin:bulletin, kb:'970899'))
        {
          vuln++;
        }
      }
    }
    
    # If any of the above applications are vulnerable, there's no need to check
    # the WinSxS dir (for the OS-specific patches
    if (vuln)
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    
    # KB958869.  Checks the SxS directory.  The bulletin says 2k, vista/2k8 SP2,
    # and win7 aren't affected
    if (hotfix_check_sp_range(xp:'2,3', win2003:'2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    vuln = 0;
    kb = '958869';
    winsxs = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\WinSxS", string:rootfile);
    files = list_dir(basedir:winsxs, level:0, dir_pat:"microsoft.windows.gdiplus", file_pat:"^gdiplus\.dll$");
    
    # Windows XP / Server 2003
    vuln += hotfix_check_winsxs(os:'5.1', files:files, versions:make_list('5.2.6001.22319'), bulletin:bulletin, kb:kb);
    vuln += hotfix_check_winsxs(os:'5.2', sp:2, files:files, versions:make_list('5.2.6001.22319'), bulletin:bulletin, kb:kb);
    
    # Windows Vista / Server 2008
    vuln += hotfix_check_winsxs(os:'6.0', files:files, versions:make_list('5.2.6001.22319'), max_versions:make_list('6.0.0.0'), bulletin:bulletin, kb:kb);
    vuln += hotfix_check_winsxs(os:'6.0', sp:0, files:files, versions:make_list('6.0.6000.16782', '6.0.6000.20966'), max_versions:make_list('6.0.6000.20000', '6.0.6000.99999'), bulletin:bulletin, kb:kb);
    vuln += hotfix_check_winsxs(os:'6.0', sp:1, files:files, versions:make_list('6.0.6001.18175', '6.0.6001.22319'), max_versions:make_list('6.0.6001.20000', '6.0.6001.99999'), bulletin:bulletin, kb:kb);
    
    if (vuln)
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    
    hotfix_check_fversion_end();
    audit(AUDIT_HOST_NOT, 'affected');
    

Oval

accepted2015-08-10T04:01:03.254-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameMike Lah
    organizationThe MITRE Corporation
  • nameJ. Daniel Brown
    organizationDTCC
  • nameMike Lah
    organizationThe MITRE Corporation
  • nameMike Lah
    organizationThe MITRE Corporation
  • nameMike Lah
    organizationThe MITRE Corporation
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameShane Shaffer
    organizationG2, Inc.
  • nameMaria Kedovskaya
    organizationALTX-SOFT
  • nameMaria Kedovskaya
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Internet Explorer 6 is installed
    ovaloval:org.mitre.oval:def:563
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Office XP is installed
    ovaloval:org.mitre.oval:def:663
  • commentMicrosoft Project 2002 SP1 is installed
    ovaloval:org.mitre.oval:def:707
  • commentMicrosoft Office Visio 2002 SP2 is installed
    ovaloval:org.mitre.oval:def:692
  • commentMicrosoft Office 2003 is installed
    ovaloval:org.mitre.oval:def:233
  • commentMicrosoft Word Viewer is installed
    ovaloval:org.mitre.oval:def:737
  • commentMicrosoft Excel Viewer 2003 is installed
    ovaloval:org.mitre.oval:def:439
  • commentMicrosoft Office 2007 is installed
    ovaloval:org.mitre.oval:def:1211
  • commentMicrosoft PowerPoint Viewer 2007 is installed
    ovaloval:org.mitre.oval:def:5517
  • commentMicrosoft Office Compatibility Pack is installed
    ovaloval:org.mitre.oval:def:1853
  • commentMicrosoft Visual Studio 2005 is installed.
    ovaloval:org.mitre.oval:def:426
  • commentMicrosoft Visual Studio 2008 is installed
    ovaloval:org.mitre.oval:def:5401
  • commentMicrosoft SQL Server 2005 is installed
    ovaloval:org.mitre.oval:def:6082
  • commentMicrosoft SQL Server 2005 SP2 is installed
    ovaloval:org.mitre.oval:def:8397
  • commentMicrosoft SQL Server 2005 is installed
    ovaloval:org.mitre.oval:def:6082
  • commentMicrosoft SQL Server 2005 SP3 is installed
    ovaloval:org.mitre.oval:def:8471
descriptionInteger overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted PNG image file, aka "GDI+ PNG Integer Overflow Vulnerability."
familywindows
idoval:org.mitre.oval:def:6134
statusaccepted
submitted2009-10-13T13:00:00
titleGDI+ PNG Integer Overflow Vulnerability
version69

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 36619,36645,36646,36648,36649,36650,36651,36647 CVE ID: CVE-2009-2500,CVE-2009-2501,CVE-2009-2502,CVE-2009-2503,CVE-2009-2504,CVE-2009-3126,CVE-2009-2528,CVE-2009-2518 Microsoft产品中所使用的GDI+库(GdiPlus.dll)通过基于类的API提供对各种图形方式的访问。 GDI+处理畸形WMF、PNG、TIFF、BMP等图形文件时存在多个缓冲区溢出和内存破坏漏洞。如果用户打开特制的图形文件,这些漏洞可能允许远程执行代码。成功利用漏洞的攻击者可以完全控制受影响的系统。 1) 在解析位图图形中所使用的颜色数时存在可导致堆溢出的整数溢出。 2) 处理WMF图形文件时存在可导致堆溢出的整数溢出。 3) 处理PNG文件时存在堆溢出和整数溢出。 4) 处理TIFF文件中的BitsPerSample标签时存在缓冲区溢出。 5) 处理TIFF文件中的畸形图形控制扩展可导致内存破坏。 6) 特制的.NET Framework应用可在某些GDI+ API中触发整数溢出。 7) 解析包含有某些属性ID的msofbtOPT Office Drawing记录类型时存在内存破坏。 Microsoft Internet Explorer 6.0 SP1 Microsoft Office XP SP3 Microsoft Office 2007 SP2 Microsoft Office 2007 SP1 Microsoft Office 2003 Service Pack 3 Microsoft Project 2002 SP1 Microsoft SQL Server 2005 SP3 Microsoft SQL Server 2005 SP2 Microsoft SQL Server 2000 Reporting Services SP2 Microsoft Visual Studio 2008 SP1 Microsoft Visual Studio 2008 Microsoft Visual Studio 2005 SP1 Microsoft Visual Studio .NET 2003 SP1 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Works 8.5 Microsoft .NET Framework 2.0 SP2 Microsoft .NET Framework 2.0 SP1 Microsoft .NET Framework 1.1 SP1 Microsoft Visual FoxPro 9.0 SP2 Microsoft Visual FoxPro 8.0 SP1 Microsoft Visio 2002 SP2 Microsoft Forefront Client Security 1.0 Microsoft Report Viewer 2008 SP1 Microsoft Report Viewer 2008 Microsoft Report Viewer 2005 SP1 Microsoft Groove 2007 SP1 Microsoft Groove 2007 临时解决方法: * 禁用元文件处理。 * 限制对gdiplus.dll的访问。 * 注销vgx.dll。 * 阻止在Internet Explorer中运行RSClientPrint。 * 以纯文本格式阅读电子邮件。 * 不要打开从不受信任来源或从受信任来源意外收到的Office文件。 * 在Internet Explorer中禁用XAML浏览器应用程序。 * 禁用部分受信任的.NET应用程序,通过提升的管理员命令提示符运行以下命令: caspol -pp off caspol -m -resetlockdown caspol -pp on 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-062)以及相应补丁: MS09-062:Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) 链接:http://www.microsoft.com/technet/security/Bulletin/MS09-062.mspx?pf=true
idSSV:12497
last seen2017-11-19
modified2009-10-20
published2009-10-20
reporterRoot
titleMicrosoft GDI+库图形文件处理多个缓冲区溢出和内存破坏漏洞(MS09-062)