Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Microsoft's GDI Detetection Tool faults

from [Scott Jacobson] Network Security [Permanent Link]
Subject: RE: Microsoft's GDI Detetection Tool faults
Date: Tue, 28 Sep 2004 18:17:06 -0400 
First, you should download a newer version of the SANS gdi tool.  i had
similar output to yours but mine was a more verbose with it's descriptions.
See below:

Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
   Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6
SP1 only)
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
   Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall
purposes)
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\as
ms\10\msft\windows\gdiplus\gdiplus.dll
   Version: 5.1.3102.2180
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\sx
s.dll
   Version: 5.1.2600.2180
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\vg
x.dll
   Version: 6.0.2900.2180
C:\WINDOWS\system32\dllcache\sxs.dll
   Version: 5.1.2600.1515
C:\WINDOWS\system32\dllcache\vgx.dll
   Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6
SP1 only)
C:\WINDOWS\system32\sxs.dll
   Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-w
w_8d353f13\GdiPlus.dll
   Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-
ww_712befd8\GdiPlus.dll
   Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
Scan Complete.

The fact that it says, for example, (Win2K SP2 and SP3 w/IE6 SP1 only) next
to several make me feel secure.  I'm running XP Pro SP2.  I think this is
because the version number is all that the gdi scan is looking.  So, it
gives a little more feedback so the user knows if they're still vulnerable
or not.

As per your second question...

COM and Shared DLL Isolation Support

Windows XP has a new folder under Windows called "WinSxS" (Windows
Side-by-Side). This area is used to store versions of Windows XP components
that are built to reduce configuration problems with Dynamic Link Libraries
(DLL) (DLL hell). Multiple versions of components are stored in this folder.
Windows XP allows Win32® API components and applications to use the exact
version of Microsoft components with which they are tested and not be
impacted by other application or operating system updates. It does this by
relying on XML files that contain metadata about application configuration
such as COM classes, interfaces, and type libraries.[1]

Hope that helps.

[1]
http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xptechov.mspx

-----Original Message-----
From: albatross@tim.it [mailto:albatross@tim.it]
Sent: Monday, September 27, 2004 1:46 PM
To: bugtraq@securityfocus.com
Subject: Re: Microsoft's GDI Detetection Tool faults


In-Reply-To:
<B7C2C6BA798F3C4DBDD78BEDC1F8AD5705D7D30D@nycmb01.law.sullcrom.com>

The machine is a Windows XP SP1 completly patched with Office 2000 SP 3
completly patched.

I don't have any kind of imaging programs installed (Photoshop, Picture It,
etc)

The output from the SANS tool is:

Scanning...
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
   Version: 5.1.2600.0 <-- Vulnerable version
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
   Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
   Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\system32\sxs.dll
   Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-w
w_8d353f13\GdiPlus.dll
   Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-
ww_712befd8\GdiPlus.dll
   Version: 5.1.3101.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.13
60_x-ww_24a2ed47\GdiPlus.dll
   Version: 5.1.3102.1360
Scan Complete.


Does anybody know what the content of the WinSxS directory under the windows
installation path is?

albatross



How did you test this (and on what platform), and why do you propose
that the SANS tool is delivering more accurate results than the GDI tool
delivered by Microsoft?

I tested the SANS tool against a properly patched XP system on Friday
and found it to false positive on many of the locations it said it
wouldn't test on.  Additionally, I found it to alert on MS09.dll, on an
XP system.  Our understanding from Microsoft is that MS09.DLL only needs
to be updated to be fully compatible with an updated GDIPLUS.DLL in the
system directory, it is not directly vulnerable.

So, it would be good to know what you found.

Best,

Gaby
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New whitepaper "The Phishing Guide", Brian Dessent
Next by Date:  Re: Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes, Bob Toxen
Previous by Thread:  Re: Microsoft's GDI Detetection Tool faults, the rxmr
Next by Thread:  Buffer overflow in Zinf 2.2.1 for Win32, Luigi Auriemma
Indexes:  [Date] [Thread] [Top] [All Lists]