Bugtraq mailing list archives

RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow

From: "Polazzo Justin" <Justin.Polazzo () facilities gatech edu>
Date: Thu, 16 Sep 2004 12:35:27 -0400

Lastly, there is no all-in-one patch, MSFT said that this would create

a package >that was too large for people to download.  I am not sure why
they didn't do

this,  I don't think it has anything to do with the size, but I can

only

speculate.


I would have to agree with your assessment, seeing as MS updates is
bugging me every 30 min or so to download a 270 mb service pack, size
cannot be a real issue.

You do not need to replace all instances of gdiplus.dll


I cannot for the life of me find out which versions are vulnerable. In
some cases v.5.1.3097.0 is replaced See below:
(\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll    version:
5.1.3102.1360   Size:  1645320   Date Created: 5/4/2004 11:53:40 AM
Date Modified: 5/4/2004 11:53:40 AM)

This was updated from its previous incarnation of v.5.1.3097.0 See
below:
(\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll    version:
5.1.3097.0      Size:  1706800   Date Created: 11/21/2001 2:18:04 PM
Date Modified: 11/21/2001 2:18:04 PM)

While even on an updated system, the dll in \windir\system32 remains at
v.5.1.3097.0 See below:

Before: 
\WINNT\system32\gdiplus.dll      version: 5.1.3097.0    Size:  1700352
Date Created: 9/6/2001 1:00:58 AM        Date Modified: 9/6/2001 1:00:58
AM

After:
\WINNT\system32\gdiplus.dll      version: 5.1.3097.0    Size:  1700352
Date Created: 9/6/2001 1:00:58 AM        Date Modified: 9/6/2001 1:00:58
AM

I am hoping that the win2k system32 dll's are not called, and that is
why the files are not updated.

Its is scary that all other apps seem to have used the 5.1.3097.0
version, including WS-FTP, Macromedia (flash, Dreamweaver, etc), ACAD,
but the threat is mitigated by the fact that for the exploit to work you
have to open the jpeg with the app using the older dll's. I am going to
concentrate on the IE dll's and the Office ones as well.

Anyone know why .net has its own GDI+ dll? In what situation would it be
used?


Either way Jimmy Lehmkuhl wrote a nice API call that looks for dll
versions, we are packaging it with the Patchlink PDK and a script to
replace affected versions. We can now replace older versions (5.1.3097.0
and up) wherever they may lie, After testing to see if it breaks the
apps of course. 

JP

Current thread:

Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Nick D. (Sep 15)
- <Possible follow-ups>
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Polazzo Justin (Sep 15)
  - Re: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow sheep explode (Sep 16)
  - Re: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Gary Warner (Sep 16)
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Polazzo Justin (Sep 16)
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Angelidis, Fotis(NSASOUDABAY) (Sep 16)
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Parks, Matt (Sep 16)
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Polazzo Justin (Sep 16)