<<< Date Index >>>     <<< Thread Index >>>

RE: Microsoft's GDI Detetection Tool faults



First, you should download a newer version of the SANS gdi tool.  i had
similar output to yours but mine was a more verbose with it's descriptions.
See below:

Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
   Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6
SP1 only)
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
   Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall
purposes)
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\as
ms\10\msft\windows\gdiplus\gdiplus.dll
   Version: 5.1.3102.2180
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\sx
s.dll
   Version: 5.1.2600.2180
C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\vg
x.dll
   Version: 6.0.2900.2180
C:\WINDOWS\system32\dllcache\sxs.dll
   Version: 5.1.2600.1515
C:\WINDOWS\system32\dllcache\vgx.dll
   Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6
SP1 only)
C:\WINDOWS\system32\sxs.dll
   Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-w
w_8d353f13\GdiPlus.dll
   Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-
ww_712befd8\GdiPlus.dll
   Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
Scan Complete.

The fact that it says, for example, (Win2K SP2 and SP3 w/IE6 SP1 only) next
to several make me feel secure.  I'm running XP Pro SP2.  I think this is
because the version number is all that the gdi scan is looking.  So, it
gives a little more feedback so the user knows if they're still vulnerable
or not.

As per your second question...

COM and Shared DLL Isolation Support

Windows XP has a new folder under Windows called "WinSxS" (Windows
Side-by-Side). This area is used to store versions of Windows XP components
that are built to reduce configuration problems with Dynamic Link Libraries
(DLL) (DLL hell). Multiple versions of components are stored in this folder.
Windows XP allows Win32® API components and applications to use the exact
version of Microsoft components with which they are tested and not be
impacted by other application or operating system updates. It does this by
relying on XML files that contain metadata about application configuration
such as COM classes, interfaces, and type libraries.[1]

Hope that helps.

[1]
http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xptechov.mspx

-----Original Message-----
From: albatross@xxxxxx [mailto:albatross@xxxxxx]
Sent: Monday, September 27, 2004 1:46 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Microsoft's GDI Detetection Tool faults


In-Reply-To:
<B7C2C6BA798F3C4DBDD78BEDC1F8AD5705D7D30D@xxxxxxxxxxxxxxxxxxxxxxxx>

The machine is a Windows XP SP1 completly patched with Office 2000 SP 3
completly patched.

I don't have any kind of imaging programs installed (Photoshop, Picture It,
etc)

The output from the SANS tool is:

Scanning...
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
   Version: 5.1.2600.0 <-- Vulnerable version
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
   Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
   Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\system32\sxs.dll
   Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-w
w_8d353f13\GdiPlus.dll
   Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-
ww_712befd8\GdiPlus.dll
   Version: 5.1.3101.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.13
60_x-ww_24a2ed47\GdiPlus.dll
   Version: 5.1.3102.1360
Scan Complete.


Does anybody know what the content of the WinSxS directory under the windows
installation path is?

albatross


>How did you test this (and on what platform), and why do you propose
>that the SANS tool is delivering more accurate results than the GDI tool
>delivered by Microsoft?
>
>I tested the SANS tool against a properly patched XP system on Friday
>and found it to false positive on many of the locations it said it
>wouldn't test on.  Additionally, I found it to alert on MS09.dll, on an
>XP system.  Our understanding from Microsoft is that MS09.DLL only needs
>to be updated to be fully compatible with an updated GDIPLUS.DLL in the
>system directory, it is not directly vulnerable.
>
>So, it would be good to know what you found.
>
>Best,
>
>Gaby
>