OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Article Abstract Microsoft Windows is vulnerable to remote code execution in GDI32.dll (Graphical Device Interface). This vulnerability was assigned Microsoft security bulletin MS06-001 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919). An exploit containing this vulnerability was found in the wild by Websense Security Labs on 12/27/2005.

This vulnerability was exploited in the wild as early as 12/15/2005 to install various malicious programs. In order to successfully exploit this vulnerability, an attacker is only required to lure the victim to an infected website. The number of websites currently hosting malicious code has steadily increased since the exploit was made public.

In this article, Stephan Chenette walks through the disassembly of GDI32.dll, providing a detailed analysis of the code flow leading to the vulnerability. Readers are expected to be familiar with x86 assembly instructions to follow this document.

Full Article ...

Printer Friendly ...

Article Comments

MohammadHosein	Posted: Wednesday, February 15 2006 14:08.19 CST
thank you for this detailed and technical article , i would like to know if Pedram's Process Stalker has anything to say about this vuln or what ...

stephanc

Posted: Monday, February 20 2006 12:19.50 CST

Mohammad,

I'm glad you enjoyed the article.

To answer your question:
I've used process stalker when I want to focus on code that runs in a particular scenary. It helps in analyzing that binary but, the code auditor still needs to recognize the vulnerability or bug.

In this particular case, process stalker could have been used to filter out code that was run when a wmf file was loaded, then the code auditor would have to look through that filtered code.

Most code auditors would be looking for "common" security vulnerabilities (buffer overflows, heap overflows, integer overflows, etc), I'm guessing most auditors would miss this particular find. This section of code and the flow looks is a legitamite save and execution of a callback function. The auditor would have had to track back the callback function to see that the function actually was saved from the WMF input file itself.

So, as much help as process stalker is in trimming out the useless code to look through...it's still up to the code auditor to recognize the vulns/bugs.

sefo	Posted: Saturday, March 4 2006 05:42.35 CST
For a description of the exploit itself: http://www.osix.net/modules/article/?id=783]Here

There are 31,311 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit