RE: GDI JPEG Exploit
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
RE: GDI JPEG Exploit - 1.Oct.2004 2:32:00 PM
|
|
|
mmercer006
Posts: 10
Joined: 30.Sep.2004
From: Memphis
Status: offline
|
I tried the new script and it works locally but I get "75 - Access Denied......." when I try to scan pcs on the network.
|
|
|
|
RE: GDI JPEG Exploit - 1.Oct.2004 5:30:00 PM
|
|
|
mmercer006
Posts: 10
Joined: 30.Sep.2004
From: Memphis
Status: offline
|
I got it working now by changing the logon credentials.
Marc
|
|
|
|
RE: GDI JPEG Exploit - 3.Oct.2004 4:11:00 PM
|
|
|
SecureatHome
Posts: 4
Joined: 2.Oct.2004
From: Virginia Beach
Status: offline
|
How affective is this scan? Does it denote if multiple patches need to be installed? I am concerned with the multi-platform approach that allows for Windows XP, and 2000, with other software that has the affected DLL's installed in their own propriatery directories.
|
|
|
|
|
RE: GDI JPEG Exploit - 4.Oct.2004 1:37:00 AM
|
|
|
DanielSchell
Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline
|
The scan uses a WMI query to locate all gdiplus.dll files on the target computer. It the then version checks each file individually and reports the path and version and if the version is vunerable (according the the MS technet article).
You would then need to either use the proper Microsoft of patches or contact the appropriate vendor if required.
See the following screenshot for the output provided (and logged to text):
http://www.gfiap.com/files/lgnss5_gdipluscheck_screenshot.jpg
I wrote this script in my own spare time and it is not an officially supported add-on for GFi LGNSS.
[ October 04, 2004, 07:44 AM: Message edited by: DanielSchell ]
|
|
|
|
|
RE: GDI JPEG Exploit - 4.Oct.2004 1:43:00 AM
|
|
|
DanielSchell
Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline
|
Paladium,
Try the following WMI script (not using LGNSS).
Change the variable strComputer = "."
to be the target computer and then run the script from the computer running LGNSS.
http://users.on.net/dschell/BIOS details.vbs
[ October 04, 2004, 07:44 AM: Message edited by: DanielSchell ]
|
|
|
|
|
RE: GDI JPEG Exploit - 13.Oct.2004 4:50:00 AM
|
|
|
SimonB
Posts: 17
Joined: 28.Sep.2004
From: Perth, Western Australia
Status: offline
|
Hi Daniel,
Thanks for your script. I have installed it and it's running fine, but I have a query on the reported vulnerabilities:
We are running Windows NT 2000 with some IE 6, SP1. The script is reporting the following:
13/10/2004 4:36:22 PM Host: SBSCPNM03 (203.3.0.113)
1 Instance(s) of gdiplus.dll found.
[VUNERABLE] c:\winnt\microsoft.net\framework\v1.0.3705\gdiplus.dll Version: 5.1.3097.0 (xpclient.010817-1148)
1 Vunerable file(s) found.
MS04-028 Vunerability scan complete.
However, I was under the impression that IE6 SP1 was, itself, subject to a patch under MS04-028? If so, why isn't it being reported?
Thanks,
Simon....
|
|
|
|
|
RE: GDI JPEG Exploit - 13.Oct.2004 8:51:00 PM
|
|
|
SimonB
Posts: 17
Joined: 28.Sep.2004
From: Perth, Western Australia
Status: offline
|
quote:
Originally posted by DanielSchell:
The file is part of the .NET Framework, not IE6.
Daniel, I think you've misunderstood me. I understand that this is reporting a vulnerability for .NET, but according to Microsoft at this link, there is a patch for MS04-028 to apply to IE6 SP1. Is this correct? If so, shouldn't your script detect this, or is this IE6 SP1 vulnerability not dependent on GDIPLUS.DLL?
Cheers,
Simon....
|
|
|
|
|
RE: GDI JPEG Exploit - 13.Oct.2004 10:58:00 PM
|
|
|
DanielSchell
Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline
|
Hi Simon,
The patch deals with the Microsoft Vector Graphics Rendering file VGX.DLL, not gdiplus.dll.
The VGX.DLL file is not mentioned by the MS04-028 technet article.
|
|
|
|
|
RE: GDI JPEG Exploit - 14.Oct.2004 12:01:00 AM
|
|
|
SimonB
Posts: 17
Joined: 28.Sep.2004
From: Perth, Western Australia
Status: offline
|
Just to clarify a couple of points (after a discussion with Daniel, thanks) for anyone else interested:
When using Daniel's script, use the "Alternative Credentials" for the userid to run the script as, not "Currently logged on user".
The script will scan all locally attached disks, which includes CD drives and direct attached disk (SAN's etc)
There is doubt (at least in my mind) whether IE6 SP1 is vulnerable on its own if no GDIPLUS.DLL files are found. It contains a VGX.DLL file, with no reference to GDIPLUS.DLL, but is clearly linked refered to on the MS04-028 home page. Weird.
Thanks Daniel,
Simon....
|
|
|
|
RE: GDI JPEG Exploit - 22.Oct.2004 8:55:00 AM
|
|
|
Paladium
Posts: 8
Joined: 27.Sep.2004
From: Michigan
Status: offline
|
OK. Here we go again...
The script is not working on XP systems. Already using alternitive credentials as recommended. Full access to the system (local admin level) is fine. Here's the error:
-------------------
Started vulnerability scan analysis...
Checking for trojans...
Checking information vulnerabilities...
Beginning MS04-028 Vunerability (gdiplus.dll) scan as XXXXXXXXXX...
This scan may take a few moments to search the target (XXX.XXX.XXX.XXX) local drives drives
Error encountered. Details below:
75 - Access is denied.
Beginning MS04-028 Vunerability (mso.dll) scan as XXXXXXXXXX...
This scan may take a few moments to search the target (XXX.XXX.XXX.XXX) local drives drives
Error encountered. Details below:
75 - Access is denied.
Beginning MS04-028 Vunerability (vgx.dll) scan as XXXXXXXXXX...
This scan may take a few moments to search the target (XXX.XXX.XXX.XXX) local drives drives
Error encountered. Details below:
75 - Access is denied.
Beginning MS04-028 Vunerability (sxs.dll) scan as XXXXXXXXXX...
This scan may take a few moments to search the target (XXX.XXX.XXX.XXX) local drives drives
Error encountered. Details below:
75 - Access is denied.
--------------------------
We are at a loss. The script works fine on W2K systems and servers. XP is the only issue. What is the solution? This is becoming a critical issue...
|
|
|
|
|
RE: GDI JPEG Exploit - 24.Oct.2004 9:30:00 PM
|
|
|
DanielSchell
Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline
|
Is simple filesharing enabled on the computers being scanned? If so try to disable this (Windows explorer folder options) and try again.
|
|
|
|
|
RE: GDI JPEG Exploit - 25.Oct.2004 3:31:00 PM
|
|
|
Paladium
Posts: 8
Joined: 27.Sep.2004
From: Michigan
Status: offline
|
Same error message with simple file sharing turned off followed by a reboot just to be sure. The security log shows the following error:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 10/25/2004
Time: 3:16:42 PM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXXXXXXXX
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Administrator
Source Workstation: XXXXXXXXXXXXXX
Error Code: 0xC0000064
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------------------------
Microsoft Description
------------------------
Details
We're sorry
There is no additional information about this issue in the Error and Event Log Messages or Knowledge Base databases at this time. You can use the links in the Support area to determine whether any additional information might be available elsewhere.
--------------------------------------------
Thank you for searching on this message; your search helps us identify those areas for which we need to provide more information.
|
|
|
|
|
RE: GDI JPEG Exploit - 25.Oct.2004 8:22:00 PM
|
|
|
DanielSchell
Posts: 179
Joined: 16.Oct.2003
From: Adelaide, Australia
Status: offline
|
Hi Paladium,
The error stands for:
0xC0000064 User logon with Misspelled or Bad User Account
http://support.microsoft.com/default.aspx?scid=kb;en-us;189541&sd=tech
Try using alternative credentials of some different users and see if you get different results. I am have been using the DOMAIN\administrator account in testing.
|
|
|
|
|
RE: GDI JPEG Exploit - 26.Oct.2004 12:28:00 PM
|
|
|
Paladium
Posts: 8
Joined: 27.Sep.2004
From: Michigan
Status: offline
|
OK. Once I stopped trying to run this against the two test machines and tried a third XP machine, it worked as advertised! Time to reload the test machines!
Thanks to all who helped in this...
Now, how can the script be modified to EXCLUDE mapped drives?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
