GDI JPEG Exploit

	Forums Register Login My Profile Inbox Address Book My Subscription My Forums Member List Search FAQ Ticket List Log Out

GDI JPEG Exploit

Logged in as: Guest

Users viewing this topic: none

Printable Version

All Forums >> [Networking & Security] >> GFI LANguard >> GDI JPEG Exploit

Page: [1] 2 3 next > >>

Message

<< Older Topic Newer Topic >>

GDI JPEG Exploit - 28.Sep.2004 9:43:00 AM

Paladium

Posts: 8
Joined: 27.Sep.2004
From: Michigan
Status: offline

Has someone developed a signature for this product that scans systems to detect applications vulnerable to the GDI JPEG exploit??

The tool released by SANS is not usable on large networks that use a centralized network management structure. The tool only runs on a per-machine basis. Not good.

If GFI LANGuard NSS could be used to do this, that would be a great help!

Post #: 1

RE: GDI JPEG Exploit - 29.Sep.2004 3:53:00 AM

DanielSchell

Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline

http://forums.gfi.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=1;t=001629#000001

(in reply to Paladium)

Post #: 2

RE: GDI JPEG Exploit - 29.Sep.2004 5:57:00 AM

gcibirch

Posts: 206
Joined: 22.Oct.2002
Status: offline

Excellent work...........

Worked a treat

(in reply to Paladium)

Post #: 3

RE: GDI JPEG Exploit - 29.Sep.2004 8:50:00 AM

Paladium

Posts: 8
Joined: 27.Sep.2004
From: Michigan
Status: offline

Not working as expected... Using alternate credentials that have full domain admin access(including local machine admin access).

It writes the log to the C: drive as expected, but the results are blank. It lists the machine name and IP that was scanned, but shows no files found.

This is important to note because I ran the GUI tool released by the SANS Institute that scans the local machine for vulnerable files and it lists 11 different files that are either vulnerable or possibly vulnerable, plus two that are not vulnerable. I have a screen shot if interested.

If the script is supposed to scan the local C: drive looking for vulnerable versions of the files, why is it not coming up with the same results as the SANS tool?

(in reply to Paladium)

Post #: 4

RE: GDI JPEG Exploit - 29.Sep.2004 10:47:00 AM

DanielSchell

Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline

Check out the following kbarticle.

http://kbase.gfi.com/showarticle.asp?id=KBID002152

Also check out this screenshot:
http://www.gfiap.com/files/lgnss5_gdipluscheck_screenshot.jpg

What is the last line you get in the scanner activity window? You also need LGNSS5 Build 20040910.

[ September 29, 2004, 04:48 PM: Message edited by: DanielSchell ]

(in reply to Paladium)

Post #: 5

RE: GDI JPEG Exploit - 29.Sep.2004 6:33:00 PM

mervzss

Posts: 2
Joined: 28.Sep.2004
Status: offline

Can we patch the affected applications through GFI?

(in reply to Paladium)

Post #: 6

RE: GDI JPEG Exploit - 30.Sep.2004 8:40:00 AM

Paladium

Posts: 8
Joined: 27.Sep.2004
From: Michigan
Status: offline

We are on 20040910 and the box we are testing against does not have SP2 installed and the XP firewall is not on. WMI is enabled.

There is no error message. It starts the audit portion of the scan (the file search) and it ends about 4 seconds later. The scan message says the scan is complete. There is no drive activity on the target PC either.

There should be no reason I can think of for this not to work.

Further help please...

(in reply to Paladium)

Post #: 7

RE: GDI JPEG Exploit - 30.Sep.2004 9:59:00 AM

DanielSchell

Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline

Does it work if you scan 'localhost'?

(in reply to Paladium)

Post #: 8

RE: GDI JPEG Exploit - 30.Sep.2004 12:01:00 PM

Paladium

Posts: 8
Joined: 27.Sep.2004
From: Michigan
Status: offline

Nope. Tried that from a previous post suggestion. Same results. Review of the security log indicates authentication is successful. Verified WMI service is runing. Still not working and no error messages are displayed. Acts like it was successful. Tried it against another machine (W2K box) and got the same results.

(in reply to Paladium)

Post #: 9

RE: GDI JPEG Exploit - 30.Sep.2004 7:55:00 PM

mmercer006

Posts: 10
Joined: 30.Sep.2004
From: Memphis
Status: offline

quote:
Originally posted by Paladium:
Nope. Tried that from a previous post suggestion. Same results. Review of the security log indicates authentication is successful. Verified WMI service is runing. Still not working and no error messages are displayed. Acts like it was successful. Tried it against another machine (W2K box) and got the same results.

(in reply to Paladium)

Post #: 10

RE: GDI JPEG Exploit - 30.Sep.2004 7:59:00 PM

mmercer006

Posts: 10
Joined: 30.Sep.2004
From: Memphis
Status: offline

Unfortunatley I seem to be having the same issue.

This scanning profile would be very helpful to me so I'm open to any suggestions that will resolve this issue.

=======================================================================
STARTING SECURITY SCAN FOR MACHINE/RANGE: localhost
Profile: 04-028 Vunerabilites Scan
=======================================================================
Building computers list...
Resolving hosts...
Netbios discovery...
Reply from 10.225.150.188 (MEMPATCHMGMT01)
SNMP discovery...
Community string: public
ICMP sweep ... (PING!)
Pong from 10.225.150.188
Resolving host names...
1 Computer(s) found.
=======================================================================
Starting security scan of host MEMPATCHMGMT01[10.225.150.188]...
Time: 6:54:12 PM
=======================================================================
SMB probing ...
Connecting ...(1/6)
Session established.(2/6)
Protocol negotiated.(3/6)
NULL session established.(4/6)
Connected to IPC$.(5/6)
Collecting Windows OS Information...
Read server info...
Read PDC ...
Read BDC ...
Enumerate trusted domains ...
Enumerate shares ...
Enumerate groups ...
Enumerate users ...
Enumerate sessions ...
Enumerate services ...
Enumerate network transports ...
Enumerate remote processes ...
Enumerate drives ...
Read remote time of day ...
Read password policy ...
Connect to remote registry ...
Querying registry ...
Basic info
Run keys
Service Pack
Check security audit policy ...
Started vulnerability scan analysis...
Checking for trojans...
Checking FTP vulnerabilities...
Checking DNS vulnerabilities...
Checking mail vulnerabilities...
Checking service vulnerabilities...
Checking RPC vulnerabilities...
Checking miscellaneous vulnerabilities...
Checking registry vulnerabilities...
Checking information vulnerabilities...
Beginning MS04-028 Vunerability (gdiplus.dll) scan...
This scan may take a few moments to search the target hard drive
CGI probing...
=======================================================================
Completed security scan for MEMPATCHMGMT01[10.225.150.188]: 6:54:17 PM.
Scan time: 4 seconds
=======================================================================
=======================================================================
COMPLETED SECURITY SCAN FOR MACHINE/RANGE: localhost
Scan Start Time: 6:54:09 PM
Scan Duration: 7 seconds
=======================================================================

(in reply to Paladium)

Post #: 11

RE: GDI JPEG Exploit - 30.Sep.2004 11:00:00 PM

DanielSchell

Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline

Hi Guys,

I've made a new version of the script which does some extra dedugging (I'm a google programmer and learn as I go [Smile]

) and reports correct errors when a scan does not work correctly.

Sample output:

1/10/2004 12:12:43 PM Host: DEV1(192.168.1.120)
Error encountered. Details below:
75 - Access is denied.

1/10/2004 12:15:18 PM Host: DAVID (192.168.1.122)
Error encountered. Details below:
75 - The RPC server is unavailable.

1/10/2004 12:15:24 PM Host: ORAC (192.168.1.126)
4 Instance(s) of gdiplus.dll found.
[VUNERABLE] c:\program files\fasoft\n-track studio 4\gdiplus.dll Version: 5.1.3097.0 (xpclient.010811-1534)
[OK] c:\program files\microsoft office\office11\gdiplus.dll Version: 6.0.3264.0
[OK] c:\program files\microsoft works\gdiplus.dll Version: 5.1.3102.1360 (xpsp2.040109-1800)
[VUNERABLE] c:\source\vs03\visio\program files\microsoft office\visio10\gdiplus.dll Version: 5.1.3100.0 (xpclnt_qfe.010827-1803)
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll Version: 5.1.3102.2180 (xpsp_sp2_rtm.040803-2158)
2 Vunerable file(s) found.
MS04-028 Vunerability scan complete.

File: http://www.gfiap.com/files/lgnss5_gdipluscheck12.zip

[ October 01, 2004, 05:18 AM: Message edited by: DanielSchell ]

(in reply to Paladium)

Post #: 12

RE: GDI JPEG Exploit - 1.Oct.2004 5:53:00 AM

gcibirch

Posts: 206
Joined: 22.Oct.2002
Status: offline

If it returns 75 - Access Denied.......

What do I need to do???

(in reply to Paladium)

Post #: 13

RE: GDI JPEG Exploit - 1.Oct.2004 8:24:00 AM

DanielSchell

Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline

What alternative credentials are you scanning with? Administrative?

My guess is you would need to give you user WMI permissions (something I haven't need to do before..)

Check out:
How To Set WMI Namespace Security in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;q295292&sd=tech

325353 - HOW TO: Set WMI Namespace Security in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325353

(in reply to Paladium)

Post #: 14

RE: GDI JPEG Exploit - 1.Oct.2004 11:23:00 AM

Paladium

Posts: 8
Joined: 27.Sep.2004
From: Michigan
Status: offline

On the W2K machine it works successfully with the new script. However, on the XP system, it still fails. Verified the settings for WMI and they are correct. WMI has full administrative rights and those rights are being inherited by sub elements/controls.

Where to next...

(in reply to Paladium)

Post #: 15