 Gdi Scan Tutorial, How to fix the GDI+ JPEG Vulnerability |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
How to use the self-help guides
This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.
If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log
  |
 Oct 1 2004, 04:10 PM
Post
#16
|
|
 Bleep Bleep!  Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3  |
My windows XP CD has the same directory as Koan: \I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS I think the directory that Koan is seeing is when computer manufacturers copy the entire cd onto the hard drive so that files are available. DOes not hurt to rename that file and replace it with the latest redistributable -------------------- Lawrence
|
 |
 
|
 Oct 2 2004, 12:22 PM
Post
#17
|
|
|
New Member Group: Members Posts: 1 Joined: 2-October 04 Member No.: 3,239 |
Kudos and thumbs up to Grinler for his amazing tutorial !! It's amazing, particularly if you have earlier tried to read MS'es ms04-028 FAQ section .... and used their tool to disocver potential GDI+ dll issues !
 /Zvika This post has been edited by zvika: Oct 2 2004, 01:18 PM |
|
|
|
 Oct 2 2004, 01:24 PM
Post
#18
|
|
|
New Member Group: Members Posts: 2 Joined: 2-October 04 Member No.: 3,247 |
My SXS.DLL vulnerable version is at C:I386SXS.DLL. It is version 5.1.2600.1106. I have another SXS.DLL at C:WindowsServicePackFilesi386sxs.dll. It is version 5.1.2600.2180 and shows that it is NOT a vulnerable file. Can I replace the vulnerable file with this one? I have XP home with SP2.
|
|
|
|
|
Oct 3 2004, 03:28 PM
Post
#19
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
Yes you can..just make sure you make a backup of the one under c:\i386.
Just so you know the c:\i386 is most likely a entire copy of the operating system so is not actively vulnerable, but if new windows components are added in the future it may, large may, becomne a problem. -------------------- Lawrence
|
|
|
|
|
Oct 3 2004, 05:14 PM
Post
#20
|
|
|
New Member Group: Members Posts: 1 Joined: 3-October 04 Member No.: 3,284 |
Hi all. How about the 'possibly vulnerable' list that GDISCAN finds?
My XP system passed Microsoft's scan with no GDI+ vulnerabilities found. My GDISCAN found these - all in the Windows folder except for one at the bottom which is a 'shared' thing. Any recommendations to do anything about any of these at this point? Thanks.  Scanning Drive C:... C:\WINDOWS\system32\dllcache\sxs.dll Version: 5.1.2600.1515 C:\WINDOWS\system32\dllcache\vgx.dll Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)  C:\WINDOWS\system32\sxs.dll Version: 5.1.2600.1515 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL) C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL) C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes) C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)  Scan Complete. |
|
|
|
 Oct 4 2004, 01:03 PM
Post
#21
|
|
|
New Member Group: Members Posts: 2 Joined: 2-October 04 Member No.: 3,247 |
Hi Grinler,
I downloaded and installed the GDIplus.dll over the corrupted one as instructed in the beginning of this topic. The following was also downloaded in Notepad with the download; ===========Gdiplus.dll==================================== For Windows XP use the system-supplied gdiplus.dll. Do not install a new gdiplus.dll over the system-supplied version (it will fail due to Windows File Protection). For Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, install gdiplus.dll into the private directory of the application not into the system directory. In addition to the rights granted in Section 1 of the Agreement ("Agreement"), with respect to gdiplus.dll for Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, you have the following non-exclusive, royalty free rights subject to the Distribution Requirements detailed in Section 1 of the Agreement: (1) You may distribute gdiplus.dll solely for use with Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98. ====================================================== I have Windows XP and it replaced the vulnerable DLL and shows no vulnerability when I re-scan it. I put the vulnerable DLL in a separate folder and that shows vulnerable in a scan. Do I need to worry about keeping that in a separate folder and getting exploited later or should I just place it in the Recycle Bin? 
This post has been edited by jon_fl: Oct 4 2004, 01:05 PM |
|
|
|
|
Oct 4 2004, 01:48 PM
Post
#22
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
CBCB,
I would prob replace the ones here: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL) C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL) With the ones found in my link above. Just make sure you make a backup. jon_fl, I would hold onto the originals ...just rename them from gdiplus.dll to gdiplus.bad or something like that -------------------- Lawrence
|
|
|
|
|
Oct 5 2004, 09:14 AM
Post
#23
|
|
 Bleeping GloDiva Group: Members Posts: 7,479 Joined: 25-April 04 From: As always I'm beside myself ;) Member No.: 228 |
Here is my scan. Nothing shows in red. Am I O.K.?....................{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Verdana;}{\f1\fswiss\fprq2\fcharset0 Verdana;}}{\colortbl ;\red0\green0\blue0;\red255\green0\blue0;\red180\green180\blue0;}\viewkind4\uc1\pard\cf1\f0\fs17 Scanning Drive C:...\parC:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\vgx.dll\par \cf1\f0Version: 6.0.2800.1411\parScan Complete.\par}
--------------------  |
|
|
|
|
Oct 5 2004, 09:49 AM
Post
#24
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
I am assuming your a 98 or me machine which is why the formatting is so strange.
But reading between all the formatting text, it looks good. -------------------- Lawrence
|
|
|
|
|
Oct 5 2004, 09:51 AM
Post
#25
|
|
|
Bleeping GloDiva Group: Members Posts: 7,479 Joined: 25-April 04 From: As always I'm beside myself ;) Member No.: 228 |
Yes, Grinler I have ME. I thought it looked strange too. Thanks
This post has been edited by scarlett: Oct 5 2004, 09:53 AM -------------------- |
|
|
|
 Oct 8 2004, 03:31 PM
Post
#26
|
|
|
New Member Group: Members Posts: 1 Joined: 8-October 04 Member No.: 3,426 |
I am trying to scan other computers on our network. Tom Listen thought that the command line version would be able to handle a UNC for the drive letter. Perhaps I am not doing it right. Any suggestions?
  Disregard, it does work-slowly and put the log file in my u: drive - duh:U:\>gdiclscan.exe Usage: GDICLScan.exe driveletter [driveletter...] logfilename U:\>gdiclscan.exe \\how1example\c$ gdiplus.txt U:\>gdiclscan.exe This post has been edited by Rojer: Oct 8 2004, 03:42 PM |
|
|
|
|
Oct 8 2004, 06:18 PM
Post
#27
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
Nice ! Thanks for sharing the tip with us
-------------------- Lawrence
|
|
|
|
|
Oct 11 2004, 09:45 AM
Post
#28
|
|
|
New Member Group: Members Posts: 1 Joined: 11-October 04 Member No.: 3,509 |
Hi,
Anyone help with Visio Viewer?, I cannot find a poatch or workaround :-( Scanning Drive C:... C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.DLL Version: 6.0.2800.1411 C:\Program Files\Microsoft Office\Visio Viewer\gdiplus.dll Version: 5.1.3100.0 <-- Vulnerable version C:\Program Files\ProgramCache\office\Source\PFILES\COMMON\MSSHARED\VGX\VGX.DLL Version: 5.0.3014.1003 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only) C:\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll Version: 5.1.3101.0 <-- Vulnerable version C:\WINNT\system32\dllcache\vgx.dll Version: 6.0.2800.1411 Scan Complete. Cheers, Rob |
|
|
|
|
Oct 11 2004, 09:51 AM
Post
#29
|
|
|
Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
Have you tried download the microsoft redistributable and seeing if the programs works properly? Remember to backup the existing dll first
-------------------- Lawrence
|
|
|
|
|
Oct 12 2004, 10:14 AM
Post
#30
|
|
 Forum Regular Group: Members Posts: 208 Joined: 13-July 04 Member No.: 1,385 |
I am about to replace some of gdiplus.dll files on my computers. I have a few questions.
1. Can you expand a bit on the C:\ I36 directory? I have also the ASMS folder within with a bunch of numbered subfolders. 2. I did DL from MS the gdiplus.dll they offer- it is version 3102.1360. Yey my system shows a .dll version # 3102.2180. A newer version than the one they are giving me? Just wondering. 3. I realize that after replacing the vulnerable dll with the new one I should scan again. But, how do I check to see that the dll is doing its thing--irrespective of vulnerability? Thanks for the great tutorial!!
-------------------- EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2008 - 07:09 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.