Vulnerabilities > CVE-2009-3678 - Numeric Errors vulnerability in Microsoft Windows 7 and Windows Server 2008
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer overflow in cdd.dll in the Canonical Display Driver (CDD) in Microsoft Windows Server 2008 R2 and Windows 7 on 64-bit platforms, when the Windows Aero theme is installed, allows context-dependent attackers to cause a denial of service (reboot) or possibly execute arbitrary code via a crafted image file that triggers incorrect data parsing after user-mode data is copied to kernel mode, as demonstrated using "Browse with Irfanview" and certain actions on a folder containing a large number of thumbnail images in Resample mode, possibly related to the ATI graphics driver or win32k.sys, aka "Canonical Display Driver Integer Overflow Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 |
Common Weakness Enumeration (CWE)
Msbulletin
| bulletin_id | MS10-043 |
| bulletin_url | |
| date | 2010-07-13T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2032276 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerability in Canonical Display Driver Could Allow Remote Code Execution |
Nessus
NASL family Windows NASL id WIN_SERVER_2008_NTLM_PCI.NASL description According to the version number obtained by NTLM the remote host has Windows Server 2008 installed. The host may be vulnerable to a number of vulnerabilities including remote unauthenticated code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 108811 published 2018-04-03 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108811 title Windows Server 2008 Critical RCE Vulnerabilities (uncredentialed) (PCI/DSS) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS10-043.NASL description A flaw exists in the way the Microsoft Canonical Display Driver (cdd.dll) parses information copied from user mode to kernel mode. If the Windows Aero theme is enabled, an attacker who tricks a user on the affected host into viewing a specially crafted image using an application that uses the APIs for GDI for rendering images can leverage this issue to cause the affected system to stop responding and restart or even to execute arbitrary code, although this is unlikely due to memory randomization. last seen 2020-06-01 modified 2020-06-02 plugin id 47711 published 2010-07-13 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47711 title MS10-043: Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)
Oval
| accepted | 2012-03-26T04:03:49.240-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Integer overflow in cdd.dll in the Canonical Display Driver (CDD) in Microsoft Windows Server 2008 R2 and Windows 7 on 64-bit platforms, when the Windows Aero theme is installed, allows context-dependent attackers to cause a denial of service (reboot) or possibly execute arbitrary code via a crafted image file that triggers incorrect data parsing after user-mode data is copied to kernel mode, as demonstrated using "Browse with Irfanview" and certain actions on a folder containing a large number of thumbnail images in Resample mode, possibly related to the ATI graphics driver or win32k.sys, aka "Canonical Display Driver Integer Overflow Vulnerability." | ||||||||||||
| family | windows | ||||||||||||
| id | oval:org.mitre.oval:def:7195 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-05-19T11:00:00 | ||||||||||||
| title | Remote code execution vulnerability in Canonical Display Driver | ||||||||||||
| version | 76 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 40237 CVE ID: CVE-2009-3678 Windows是微软发布的非常流行的操作系统。 Windows所使用的规范显示驱动(cdd.dll)没有正确的解析从用户态拷贝到内核态的信息。用户受骗打开了包含有大量以缩略图形式显示图形文件的文件夹并同时选中删除了大约15到20张图形就会导致系统蓝屏死机。理论上利用该漏洞也可能导致执行任意代码,但由于地址是随机的,因此很难预测最终的指针目标。 Microsoft Windows Server 2008 R2 Microsoft Windows 7 临时解决方法: * 禁用Windows Aero主题。 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/ |
| id | SSV:19653 |
| last seen | 2017-11-19 |
| modified | 2010-05-20 |
| published | 2010-05-20 |
| reporter | Root |
| title | Microsoft Windows cdd.dll驱动远程拒绝服务漏洞 |
References
- http://blogs.technet.com/msrc/archive/2010/05/18/security-advisory-2028859-released.aspx
- http://blogs.technet.com/srd/archive/2010/05/18/cdd-dll-vulnerability-difficult-to-exploit.aspx
- http://en.irfanview-forum.de/vb/showthread.php?5647-V4-25-bluescreen-with-Windows-7-cdd-dll-win32k-sys
- http://isc.sans.org/diary.html?storyid=8809
- http://osvdb.org/64731
- http://pcandmactech.blogspot.com/2009/12/irfanview-and-bsod.html
- http://secunia.com/advisories/39577
- http://www.microsoft.com/technet/security/advisory/2028859.mspx
- http://www.securityfocus.com/bid/40237
- http://www.us-cert.gov/cas/techalerts/TA10-194A.html
- http://www.vupen.com/english/advisories/2010/1178
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-043
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58622
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7195