Vulnerability Name:

CVE-2005-4560 (CCN-23846)

Assigned:2005-12-27
Published:2005-12-27
Updated:2018-10-19
Summary:The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.9 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2005-4560

Source: MITRE
Type: CNA
CVE-2006-0106

Source: MISC
Type: UNKNOWN
http://linuxbox.org/pipermail/funsec/2006-January/002455.html

Source: CCN
Type: SA18255
Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution

Source: SECUNIA
Type: Vendor Advisory
18255

Source: CCN
Type: SA18311
Nortel Centrex IP Client Manager Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
18311

Source: CCN
Type: SA18323
Wine Potential WMF "SETABORTPROC" Vulnerability

Source: CCN
Type: SA18364
Avaya Products Microsoft Windows WMF "SETABORTPROC" Vulnerability

Source: SECUNIA
Type: Vendor Advisory
18364

Source: CCN
Type: SA18415
Nortel Products Microsoft Windows WMF "SETABORTPROC" Code Execution

Source: SECUNIA
Type: Vendor Advisory
18415

Source: CCN
Type: SECTRACK ID: 1015416
Microsoft Windows Unspecified WMF Rendering Bug Lets Remote Users Execute Arbitrary Code

Source: SECTRACK
Type: Exploit
1015416

Source: MISC
Type: Vendor Advisory
http://support.avaya.com/elmodocs2/security/ASA-2006-001.htm

Source: CCN
Type: ASA-2006-001
WMF vulnerability in Windows (MS06-001)

Source: MISC
Type: Vendor Advisory
http://vil.mcafeesecurity.com/vil/content/v_137760.htm

Source: DEBIAN
Type: DSA-954
wine -- design flaw

Source: CCN
Type: F-Secure : News from the Lab Wednesday, December 28, 2005
New WMF 0-day exploit

Source: MISC
Type: Exploit, Vendor Advisory
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753

Source: CCN
Type: GLSA-200601-09
Wine: Windows Metafile SETABORTPROC vulnerability

Source: CCN
Type: US-CERT VU#181038
Microsoft Windows Metafile handler SETABORTPROC GDI Escape vulnerability

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#181038

Source: CCN
Type: Microsoft.com Web site
Windows Picture and Fax Viewer overview

Source: CCN
Type: Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

Source: MISC
Type: Vendor Advisory
http://www.microsoft.com/technet/security/advisory/912840.mspx

Source: CCN
Type: Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

Source: CCN
Type: Microsoft Security Bulletin MS07-046
Vulnerability in GDI Could Allow Remote Code Execution (938829)

Source: CCN
Type: Microsoft Security Bulletin MS08-021
Vulnerabilities in GDI Could Allow Remote Code Execution (948590)

Source: BUGTRAQ
Type: UNKNOWN
20051227 Is this a new exploit?

Source: BUGTRAQ
Type: UNKNOWN
20051227 Exploitation of Windows WMF on the web

Source: BUGTRAQ
Type: UNKNOWN
20051228 RE: [Full-disclosure] Someone wasted a nice bug on spyware...

Source: BUGTRAQ
Type: UNKNOWN
20051228 Re: Is this a new exploit?

Source: BUGTRAQ
Type: UNKNOWN
20051228 WMF Exploit

Source: BUGTRAQ
Type: UNKNOWN
20051229 WMF exploit

Source: BUGTRAQ
Type: UNKNOWN
20051229 RE: WMF Exploit

Source: BUGTRAQ
Type: UNKNOWN
20060101 Re: RE: WMF Exploit

Source: BUGTRAQ
Type: UNKNOWN
20060103 WMF round-up, updates and de-mystification

Source: BUGTRAQ
Type: UNKNOWN
20060103 WMF SETABORTPROC exploit

Source: BUGTRAQ
Type: UNKNOWN
20060103 Re: [funsec] WMF round-up, updates and de-mystification

Source: BUGTRAQ
Type: UNKNOWN
20060104 Another WMF exploit workaround

Source: BID
Type: Exploit
16074

Source: CCN
Type: BID-16074
Microsoft Windows Graphics Rendering Engine WMF SetAbortProc Code Execution Vulnerability

Source: CCN
Type: US-CERT Technical Cyber Security Alert TA05-362A
Microsoft Windows Metafile Handling Buffer Overflow

Source: CERT
Type: Third Party Advisory, US Government Resource
TA05-362A

Source: CERT
Type: Third Party Advisory, US Government Resource
TA06-005A

Source: VUPEN
Type: Vendor Advisory
ADV-2005-3086

Source: MISC
Type: UNKNOWN
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375341

Source: MISC
Type: UNKNOWN
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420

Source: CCN
Type: Internet Security Systems Protection Alert December 28, 2005
Microsoft Picture and Fax Viewer WMF Buffer Overflow

Source: CCN
Type: Internet Security Systems Protection Alert
Additional Vectors for GDI32.DLL WMF Image Rendering Vulnerability

Source: MS
Type: UNKNOWN
MS06-001

Source: CCN
Type: IBM Internet Security Systems X-Force Database
Microsoft Windows Metafile image format buffer overflow

Source: XF
Type: UNKNOWN
win-wmf-execute-code(23846)

Source: XF
Type: UNKNOWN
win-wmf-execute-code(23846)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1431

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1433

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1460

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1492

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1564

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1612

Source: SUSE
Type: SUSE-SR:2006:002
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_2003_server:enterprise:*:64-bit:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:enterprise:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:r2:*:64-bit:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:r2:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:standard:*:64-bit:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:standard:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:web:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:web:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:home:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:*:media_center:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp1:media_center:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:home:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:media_center:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:1431
    V
    Win2K Graphics Rendering Engine Vulnerability
    2011-05-16
    oval:org.mitre.oval:def:1564
    V
    WinXP,SP1 Graphics Rendering Engine Vulnerability
    2011-05-16
    oval:org.mitre.oval:def:1433
    V
    WinXP,SP2 Graphics Rendering Engine Vulnerability
    2011-05-16
    oval:org.mitre.oval:def:1612
    V
    Server 2003 Graphics Rendering Engine Vulnerability
    2011-05-16
    oval:org.mitre.oval:def:1460
    V
    Server 2003,SP1 Graphics Rendering Engine Vulnerability
    2011-05-16
    oval:org.mitre.oval:def:1492
    V
    WinXP (64-bit) Graphics Rendering Engine Vulnerability
    2011-05-16
    BACK
    microsoft windows 2003 server enterprise
    microsoft windows 2003 server enterprise sp1
    microsoft windows 2003 server r2
    microsoft windows 2003 server r2 sp1
    microsoft windows 2003 server standard
    microsoft windows 2003 server standard sp1
    microsoft windows 2003 server web
    microsoft windows 2003 server web sp1
    microsoft windows xp *
    microsoft windows xp *
    microsoft windows xp * gold
    microsoft windows xp * sp1
    microsoft windows xp * sp1
    microsoft windows xp * sp2
    microsoft windows xp * sp2
    microsoft windows xp * sp2