Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: JPEG Vulnerability after patch!

  1. #1

    JPEG Vulnerability after patch!

    Bottom line : the exploit still runs on my computer, after i have patched my machine! help!

    Details :
    I use WinXP SP1.

    I have download and "patched" my machine from here :
    http://www.microsoft.com/technet/sec.../ms04-028.mspx
    (File called WindowsXP-KB833987-x86-ENU.EXE)

    After I have patched my comp, I compiled the local exploit from here :
    [edit : was a link to GDI+ buffer overrun exploit by FoToZ]

    and its still working! its running cmd.exe as soon as i view the folder with the picture.

    Plz Help!

    <GDI scan results>
    Scanning Drive C:...
    C:\Program Files\Camera Suite\PhotoImpression\Share\gdiplus.dll
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
    Version: 10.0.3311.0 <-- Possibly vulnerable (Under OfficeXP only)
    C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
    Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
    C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
    Version: 5.1.2600.0 <-- Vulnerable version
    C:\WINDOWS\$NtServicePackUninstall$\vgx.dll
    Version: 6.0.2600.0 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
    C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
    Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes)
    C:\WINDOWS\LastGood\System32\sxs.dll
    Version: 5.1.2600.1106 <-- Vulnerable version
    C:\WINDOWS\ServicePackFiles\i386\sxs.dll
    Version: 5.1.2600.1106 <-- Vulnerable version
    C:\WINDOWS\ServicePackFiles\i386\vgx.dll
    Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
    C:\WINDOWS\system32\sxs.dll
    Version: 5.1.2600.1515
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
    Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
    Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus.dll
    Version: 5.1.3102.1360
    Scan Complete.
    </GDI scan results>

    PS : No, I dont want to upgrade to SP2.

  2. #2
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    i took a deep breath before I said anything mean...

    If you don't have SP2 you aren't fully patched numbskull.
    When death sleeps it dreams of you...

  3. #3
    Can you please remove the link to the exploit code.

    I'm not going to neg you because the question was valid, but we don't need the code freely avalable on this site.

  4. #4
    Senior Member
    Join Date
    Feb 2004
    Location
    Near Manchester (England)
    Posts
    145

    Question You're Not Fully Patched ...

    Posted by STeRoiD

    PS : No, I dont want to upgrade to SP2.
    Why not? Perhaps you have a "Hot," copy of Windows XP and are worried about the consequences of installing SP2?

    Are you using XP home or XP Pro?

    If you're serious about security you should install SP2!

    Silly question ... Did you re-load Windows after installing the patch?

    Anyone out there know if the patch linked to in STeRoiD's post is dependent on other patches? There's no mention of dependencies on the page linked to.
    Tomorrow is another day for yesterdays work!

  5. #5
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Can you please remove the link to the exploit code.

    I'm not going to neg you because the question was valid, but we don't need the code freely avalable on this site.
    Why not? Isn't that what the site is meant to be? Hardcore discussions on security issues. If someone links to (POC) exploit code and NOT readymade executables, I don't see the problem. Most skiddies don't have the skills (or the patience) required to compile code anyway.

    Why not? Perhaps you have a "Hot," copy of Windows XP and are worried about the consequences of installing SP2?
    Makes no difference. As long as your key allowed you to install SP1, you can install SP2 as well.

    If you're serious about security you should install SP2!
    I agree wholeheartedly! XP has been extensively tweaked with SP2 to improve the overall security. This of course, is besides the HUGE number of fixes in SP2.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  6. #6
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Just curious: what program is associated with .jpeg files on your computer?

    Looking through your GDI scan, all I can see ( with one eye closed to try and focus on the screen ) is that PhotoImpression and Office 10 have the only “private” dlls that would be vulnerable and accessed. I do not believe even SP2 would change those dlls. For Office, you would have to visit the Office update site, and for PhotoImpression you would have to find out if they have an update, or remove the offending file and see if the program works without it ( it should use the default in the system folder then: if it is truly a “private” dll then this may not work, you may have to replace it, but PhotoImpression should provide an updated version. )

    Any one else see anything different?

    edit: forgot to mention: I agree with cgkanchi about Winston’s statements
    Can you please remove the link to the exploit code.

    I'm not going to neg you because the question was valid, but we don't need the code freely avalable on this site.
    I won’t neg Winston because the sentiments were genuine, however misdirected. There is and extremely FINE LINE here as to what is acceptable and what is not, and all of us seem to have the line skewed for us now and then. /edit
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  7. #7
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Look at the file that are vulnerable and the file are not vulnerable.. Look at the directory path that the file are vulnerable.. That will answer your question...
    -Simon \"SDK\"

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    I'm curious as to why there is "fuss" over the link to the VERY PUBLIC exploit code. K-Optik is a well know site, much like Packet Storm Security. This code, IIRC, was released AFTER the patch in question. To me, it just strikes me that the author is trying to be clear as to what they had done and what specifically they had used to test it with.

    Perhaps someone could clarify?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    I'm curious as to why there is "fuss" over the link to the VERY PUBLIC exploit code. K-Optik is a well know site, much like Packet Storm Security. This code, IIRC, was released AFTER the patch in question. To me, it just strikes me that the author is trying to be clear as to what they had done and what specifically they had used to test it with.
    I agree MsM. Exploit code IMHO, is to be studied and linked to as much as possible so that you know exactly what you're up against.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  10. #10
    First, although I think its valid, I removed the public exploit link because of the discussion.

    If you don't have SP2 you aren't fully patched numbskull
    If you're serious about security you should install SP2!
    Ok, SP2 improves your security. Actually I didnt install it because all of the problems I heared about the product, but now maybe I will install it... but thats not the point : Does anyone who have XP SP1 MUST to install SP2? I mean, isnt microsoft supposed to support the SP1 community either (which means, amongst other things, suply a *working* patch for it)?

    Myabe it has to do with the article "Microsoft: To secure IE, upgrade to XP"
    http://news.com.com/Microsoft+To+sec...3-5378366.html

    But seriously, I dont see any reason why XP SP1 will still be vulnerable.

    Just curious: what program is associated with .jpeg files on your computer?
    The default one, "microsoft picture and fax viewer", but I didnt have to open the file. I didnt double-click him. I just pointed him within the Explorer

    Are you using XP home or XP Pro?
    Pro.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •