CVE-2005-0803
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:14:50
NMCOPS    

[原文]The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."


[CNNVD]Microsoft Windows图形设备接口库拒绝服务漏洞(CNNVD-200505-180)

        Microsoft Windows 是微软推出的用途非常广泛的操作系统。
        Windows的GDI32.DLL GetEnhMetaFilePaletteEntries() API不能正确的处理EMF文件,导致调用API的应用程序在读取某些特制的EMF文件时可能崩溃。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-399 [资源管理错误]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2000::sp4:professionalMicrosoft Windows 2000 Professional SP4
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000::sp4:advanced_serverMicrosoft Windows 2000 Advanced Server SP4
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp4:serverMicrosoft Windows 2000 Server SP4
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2000::sp4:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP4
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:671EMF Rendering Denial of Service Vulnerability (64-bit Windows XP and Server 2003,Unpatched)
oval:org.mitre.oval:def:1240EMF Rendering Denial of Service Vulnerability (Windows 2000)
oval:org.mitre.oval:def:1215EMF Rendering Denial of Service Vulnerability (64-bit Windows XP and Server 2003,SP1)
oval:org.mitre.oval:def:1152EMF Rendering Denial of Service Vulnerability (32-bit Windows XP,SP1)
oval:org.mitre.oval:def:1121EMF Rendering Denial of Service Vulnerability (32-bit Windows XP,SP2)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0803
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0803
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-180
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111108743527497&w=2
(UNKNOWN)  BUGTRAQ  20050317 Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API specially crafted EMF file DOS vulnerability
http://securitytracker.com/id?1015168
(UNKNOWN)  SECTRACK  1015168
http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdf
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdf
http://www.kb.cert.org/vuls/id/134756
(UNKNOWN)  CERT-VN  VU#134756
http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx
(UNKNOWN)  MS  MS05-053
http://www.securityfocus.com/bid/12834
(UNKNOWN)  BID  12834
http://www.us-cert.gov/cas/techalerts/TA05-312A.html
(UNKNOWN)  CERT  TA05-312A
http://www.vupen.com/english/advisories/2005/2348
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2348
http://xforce.iss.net/xforce/xfdb/19727
(UNKNOWN)  XF  win-2000-gdi32dll-dos(19727)

- 漏洞信息

Microsoft Windows图形设备接口库拒绝服务漏洞
中危 其他
2005-05-02 00:00:00 2006-06-15 00:00:00
远程※本地  
        Microsoft Windows 是微软推出的用途非常广泛的操作系统。
        Windows的GDI32.DLL GetEnhMetaFilePaletteEntries() API不能正确的处理EMF文件,导致调用API的应用程序在读取某些特制的EMF文件时可能崩溃。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx" target="_blank"

- 漏洞信息 (F41410)

Technical Cyber Security Alert 2005-312A (PacketStormID:F41410)
2005-11-09 00:00:00
US-CERT  us-cert.gov
advisory,remote,denial of service,arbitrary,vulnerability
windows
CVE-2005-2123,CVE-2005-2124,CVE-2005-0803
[点击下载]

Technical Cyber Security Alert TA05-312A - Microsoft has released updates that address critical vulnerabilities in Windows graphics rendering services. A remote, unauthenticated attacker exploiting these vulnerabilities could execute arbitrary code or cause a denial of service on an affected system.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


               National Cyber Alert System

         Technical Cyber Security Alert TA05-312A


Microsoft Windows Image Processing Vulnerabilities

   Original release date: November 08, 2005
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Windows 2000
     * Microsoft Windows XP
     * Microsoft Windows Server 2003

   For more complete information, refer to Microsoft Security Bulletin
   MS05-053.


Overview

   Microsoft has released updates that address critical vulnerabilities
   in Windows graphics rendering services. A remote, unauthenticated
   attacker exploiting these vulnerabilities could execute arbitrary code
   or cause a denial of service on an affected system.


I. Description

   The Microsoft Security Bulletin for November 2005 addresses multiple
   buffer overflows in Windows image processing routines. Viewing a
   specially crafted image from an application that uses a vulnerable
   routine may trigger these vulnerabilities. If this application can
   access images from remote sources, such as web sites or email, then
   remote exploitation is possible.

   Further information is available in the following US-CERT
   Vulnerability Notes:

   VU#300549 - Microsoft Windows Graphics Rendering Engine buffer
   overflow vulnerability 

   Microsoft Windows Graphics Rendering Engine contains a buffer overflow
   that may allow a remote attacker to execute arbitrary code on a
   vulnerable system.
   (CVE-2005-2123)


   VU#433341 - Microsoft Windows vulnerable to buffer overflow via
   specially crafted "WMF" file 

   Microsoft Windows may be vulnerable to remote code execution via a
   buffer overflow in the Windows Metafile image format handling.
   (CVE-2005-2124)


   VU#134756 - Microsoft Windows buffer overflow in Enhanced Metafile
   rendering API 

   Microsoft Windows Enhanced Metafile Format image rendering routines
   contain a buffer overflow flaw that may allow an attacker to cause a
   denial-of-service condition.
   (CVE-2005-0803)


III. Solution

Apply Updates

   Microsoft has provided the updates to correct these vulnerabilities in
   Microsoft Security Bulletin MS05-053. These updates are also available
   on the Microsoft Update site.


II. Impact

   A remote, unauthenticated attacker exploiting these vulnerabilities
   could execute arbitrary code with the privileges of the user. If the
   user is logged on with administrative privileges, the attacker could
   take control of an affected system. An attacker may also be able to
   cause a denial of service.


Appendix A. References

     * Microsoft Security Bulletin MS05-053 -
       <http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx>

     * Microsoft Security Bulletin Summary for November 2005 -
       <http://www.microsoft.com/technet/security/bulletin/ms05-nov.mspx>

     * US-CERT Vulnerability Note VU#300549 -
       <http://www.kb.cert.org/vuls/id/300549>

     * US-CERT Vulnerability Note VU#433341 -
       <http://www.kb.cert.org/vuls/id/433341>

     * US-CERT Vulnerability Note VU#134756 -
       <http://www.kb.cert.org/vuls/id/134756>

     * Microsoft Update - <https://update.microsoft.com/microsoftupdate>

  
  _________________________________________________________________

   The most recent version of this document can be found at:

   <http://www.us-cert.gov/cas/techalerts/TA05-312A.html> 
  _________________________________________________________________

   Feedback can be directed to US-CERT.  Please send email to:
   <cert@cert.org> with "TA05-312A Feedback VU#300549" in the subject.
  _________________________________________________________________

   Revision History

   Nov 08, 2005: Initial release
  _________________________________________________________________

   Produced 2005 by US-CERT, a government organization.
  
   Terms of use

   <http://www.us-cert.gov/legal.html>
  _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this 
   mailing list, visit <http://www.us-cert.gov/cas/>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ3E5BH0pj593lg50AQISLAf+NMAgk3Up6wWphjOIQ89miwTHvpXHGmIH
/mxHQ3PoN82NPkr8NmnLHhNAHqi8+ZI15lrympvr6xvm8C8FTxPU+dCa9CxS3c4l
FLbTDbACHeD/OYwgvbE70Gx5ZUG95MMXgCRMHGiwIHaSHRspUQRMjRN5JubPjsyL
S737+Yr19hMw6JQOWhM+Pn0MyAs6qm+4gfnIxO2Z1PsmpnushpqW505U6B6ZkF7W
zCU0zecdwtZCMhWTu+3L/MqAjzt7VCsd2iC+0HS7WLvAcWoFcEvlL6Ai/E/eJLDm
HQnO34E8231CcKRT4VACvs1QPFV1pvw1pihOAXveiBFoHpCIdPLc6g==
=faQS
-----END PGP SIGNATURE-----
    

- 漏洞信息

14862
Microsoft Windows GDI32.DLL GetEnhMetaFilePaletteEntries() API EMF File DoS
Denial of Service
Loss of Availability
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-17 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows Graphical Device Interface Library Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 12834
Yes Yes
2005-03-17 12:00:00 2009-07-12 10:56:00
Hongzhen Zhou <felix__zhou@hotmail.com> is credited with the discovery of this issue.

- 受影响的程序版本

Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Avaya Unified Communications Center S3400
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
+ Microsoft Windows 2000 Server
+ Microsoft Windows NT Server 4.0 SP6a
Avaya Modular Messaging (MAS)
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers

- 漏洞讨论

Reportedly, a denial of service vulnerability affects Microsoft Windows GDI library 'gdi32.dll'. This issue is due to a failure of the application to securely copy data from malformed EMF image files.

An attacker may leverage this issue to trigger a denial of service condition in software implementing the vulnerable library. Other attacks may also be possible.

- 漏洞利用

The following proof of concept EMF file in hexadecimal format will reportedly trigger this issue in 'Explorer.exe' for Microsoft Windows 2000:

A hex dumped EMF file:
-------------------------------------------------------
0000000 01 00 00 00 64 00 00 00 93 00 00 00 02 00 00 00
0000010 83 01 00 00 39 01 00 00 00 00 00 00 00 00 00 00
0000020 d1 08 00 00 be 06 00 00 20 45 4d 46 00 00 01 00
0000030 78 00 00 00 17 00 00 00 03 00 00 00 0f 00 00 00
0000040 64 00 00 00 41 00 00 00 c8 12 00 00 c2 1a 00 00
0000050 cc 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00
0000060 00 00 00 00 0e 00 00 00 14 00 00 00 41 00 00 00
0000070 41 42 43 44 00 00 01 ff
-------------------------------------------------------

- 解决方案

Microsoft has released a bulletin that includes fixes to address this issue for supported versions of the operating system.

Avaya advisory ASA-2005-228 has been released to identify vulnerable Avaya packages. Avaya recommends customers to apply fixes supplied by Microsoft. Please see the referenced advisory for more information.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Media Center Edition SP2

Microsoft Windows Server 2003 Enterprise Edition Itanium SP1

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows Server 2003 Enterprise Edition Itanium 0

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Datacenter x64 Edition

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows XP Home SP2

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Windows Server 2003 Web Edition

Microsoft Windows XP Home SP1

Microsoft Windows Server 2003 Web Edition SP1

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows XP Professional SP2

Microsoft Windows Server 2003 Standard x64 Edition

Microsoft Windows 2000 Server SP4

Microsoft Windows 2000 Professional SP4

Microsoft Windows XP Professional SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站