[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FEBC66CCD411744381228574BAB53A9B803585@MAIL.fac.gatech.edu>
Date: Thu, 16 Sep 2004 12:35:27 -0400
From: "Polazzo Justin" <Justin.Polazzo@...ilities.gatech.edu>
To: "sheep explode" <sheep.explode@...il.com>
Cc: "Nick D." <ndebaggis@...izon.net>, <bugtraq@...urityfocus.com>
Subject: RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
>Lastly, there is no all-in-one patch, MSFT said that this would create
a package >that was too large for people to download. I am not sure why
they didn't do
>this, I don't think it has anything to do with the size, but I can
only
>speculate.
I would have to agree with your assessment, seeing as MS updates is
bugging me every 30 min or so to download a 270 mb service pack, size
cannot be a real issue.
>You do not need to replace all instances of gdiplus.dll
I cannot for the life of me find out which versions are vulnerable. In
some cases v.5.1.3097.0 is replaced See below:
(\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll version:
5.1.3102.1360 Size: 1645320 Date Created: 5/4/2004 11:53:40 AM
Date Modified: 5/4/2004 11:53:40 AM)
This was updated from its previous incarnation of v.5.1.3097.0 See
below:
(\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll version:
5.1.3097.0 Size: 1706800 Date Created: 11/21/2001 2:18:04 PM
Date Modified: 11/21/2001 2:18:04 PM)
While even on an updated system, the dll in \windir\system32 remains at
v.5.1.3097.0 See below:
Before:
\WINNT\system32\gdiplus.dll version: 5.1.3097.0 Size: 1700352
Date Created: 9/6/2001 1:00:58 AM Date Modified: 9/6/2001 1:00:58
AM
After:
\WINNT\system32\gdiplus.dll version: 5.1.3097.0 Size: 1700352
Date Created: 9/6/2001 1:00:58 AM Date Modified: 9/6/2001 1:00:58
AM
I am hoping that the win2k system32 dll's are not called, and that is
why the files are not updated.
Its is scary that all other apps seem to have used the 5.1.3097.0
version, including WS-FTP, Macromedia (flash, Dreamweaver, etc), ACAD,
but the threat is mitigated by the fact that for the exploit to work you
have to open the jpeg with the app using the older dll's. I am going to
concentrate on the IE dll's and the Office ones as well.
Anyone know why .net has its own GDI+ dll? In what situation would it be
used?
Either way Jimmy Lehmkuhl wrote a nice API call that looks for dll
versions, we are packaging it with the Patchlink PDK and a script to
replace affected versions. We can now replace older versions (5.1.3097.0
and up) wherever they may lie, After testing to see if it breaks the
apps of course.
JP
Powered by blists - more mailing lists