lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 16 Sep 2004 12:35:27 -0400
From: "Polazzo Justin" <Justin.Polazzo@...ilities.gatech.edu>
To: "sheep explode" <sheep.explode@...il.com>
Cc: "Nick D." <ndebaggis@...izon.net>, <bugtraq@...urityfocus.com>
Subject: RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow


 >Lastly, there is no all-in-one patch, MSFT said that this would create
a package >that was too large for people to download.  I am not sure why
they didn't do
>this,  I don't think it has anything to do with the size, but I can
only 
>speculate.

I would have to agree with your assessment, seeing as MS updates is
bugging me every 30 min or so to download a 270 mb service pack, size
cannot be a real issue.

>You do not need to replace all instances of gdiplus.dll 

I cannot for the life of me find out which versions are vulnerable. In
some cases v.5.1.3097.0 is replaced See below:
(\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll	 version:
5.1.3102.1360	Size:  1645320	 Date Created: 5/4/2004 11:53:40 AM
Date Modified: 5/4/2004 11:53:40 AM)

This was updated from its previous incarnation of v.5.1.3097.0 See
below:
(\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll	 version:
5.1.3097.0	Size:  1706800	 Date Created: 11/21/2001 2:18:04 PM
Date Modified: 11/21/2001 2:18:04 PM)

While even on an updated system, the dll in \windir\system32 remains at
v.5.1.3097.0 See below:

Before: 
\WINNT\system32\gdiplus.dll	 version: 5.1.3097.0	Size:  1700352
Date Created: 9/6/2001 1:00:58 AM	 Date Modified: 9/6/2001 1:00:58
AM

After:
\WINNT\system32\gdiplus.dll	 version: 5.1.3097.0	Size:  1700352
Date Created: 9/6/2001 1:00:58 AM	 Date Modified: 9/6/2001 1:00:58
AM

I am hoping that the win2k system32 dll's are not called, and that is
why the files are not updated.

Its is scary that all other apps seem to have used the 5.1.3097.0
version, including WS-FTP, Macromedia (flash, Dreamweaver, etc), ACAD,
but the threat is mitigated by the fact that for the exploit to work you
have to open the jpeg with the app using the older dll's. I am going to
concentrate on the IE dll's and the Office ones as well.

Anyone know why .net has its own GDI+ dll? In what situation would it be
used?


Either way Jimmy Lehmkuhl wrote a nice API call that looks for dll
versions, we are packaging it with the Patchlink PDK and a script to
replace affected versions. We can now replace older versions (5.1.3097.0
and up) wherever they may lie, After testing to see if it breaks the
apps of course. 

JP

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ