Bugtraq mailing list archives
RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow
From: "Polazzo Justin" <Justin.Polazzo () facilities gatech edu>
Date: Thu, 16 Sep 2004 12:35:27 -0400
Lastly, there is no all-in-one patch, MSFT said that this would create
a package >that was too large for people to download. I am not sure why they didn't do
this, I don't think it has anything to do with the size, but I can
only
speculate.
I would have to agree with your assessment, seeing as MS updates is bugging me every 30 min or so to download a 270 mb service pack, size cannot be a real issue.
You do not need to replace all instances of gdiplus.dll
I cannot for the life of me find out which versions are vulnerable. In some cases v.5.1.3097.0 is replaced See below: (\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll version: 5.1.3102.1360 Size: 1645320 Date Created: 5/4/2004 11:53:40 AM Date Modified: 5/4/2004 11:53:40 AM) This was updated from its previous incarnation of v.5.1.3097.0 See below: (\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll version: 5.1.3097.0 Size: 1706800 Date Created: 11/21/2001 2:18:04 PM Date Modified: 11/21/2001 2:18:04 PM) While even on an updated system, the dll in \windir\system32 remains at v.5.1.3097.0 See below: Before: \WINNT\system32\gdiplus.dll version: 5.1.3097.0 Size: 1700352 Date Created: 9/6/2001 1:00:58 AM Date Modified: 9/6/2001 1:00:58 AM After: \WINNT\system32\gdiplus.dll version: 5.1.3097.0 Size: 1700352 Date Created: 9/6/2001 1:00:58 AM Date Modified: 9/6/2001 1:00:58 AM I am hoping that the win2k system32 dll's are not called, and that is why the files are not updated. Its is scary that all other apps seem to have used the 5.1.3097.0 version, including WS-FTP, Macromedia (flash, Dreamweaver, etc), ACAD, but the threat is mitigated by the fact that for the exploit to work you have to open the jpeg with the app using the older dll's. I am going to concentrate on the IE dll's and the Office ones as well. Anyone know why .net has its own GDI+ dll? In what situation would it be used? Either way Jimmy Lehmkuhl wrote a nice API call that looks for dll versions, we are packaging it with the Patchlink PDK and a script to replace affected versions. We can now replace older versions (5.1.3097.0 and up) wherever they may lie, After testing to see if it breaks the apps of course. JP
Current thread:
- Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Nick D. (Sep 15)
- <Possible follow-ups>
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Polazzo Justin (Sep 15)
- Re: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow sheep explode (Sep 16)
- Re: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Gary Warner (Sep 16)
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Polazzo Justin (Sep 16)
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Angelidis, Fotis(NSASOUDABAY) (Sep 16)
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Parks, Matt (Sep 16)
- RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow Polazzo Justin (Sep 16)