GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability

  • September 28, 2004
  • Read 30,303 times

Table of Contents

  1. What is the GDI+ Jpeg Vulnerability
  2. What is GDI Scan
  3. How to use GDI Scan
  4. How do I interpret the results
  5. Conclusion

What is the GDI+ JPEG Vulnerability

GDI+ is a programming interface or API that enables programs to use graphics and formatted text on a video display or printer. A vulnerability, GDI+ JPEG Vulnerability, was found in the DLL gdiplus.dll used by GDI+ that has faulty code when processing JPEG images. People who know how this code can be exploited can craft a specially designed JPEG that can exploit this bug and possibly take control of your machine. If you view an image using an application that has this vulnerability, then it is possible for the remote program to issue commands on your computer at the same security level as your user account. Therefore if your user account is an administrator of your machine, then the remote code will have administrative privileges and be able to have full access to the security of your computer.

Microsoft has released an update for this vulnerability which you can get by going to Windows Update for the operating system update and Office Update for the Microsoft office update. Be sure to do those updates immediately as this tutorial assumes you already have them and is focused on resolving issues for 3rd party applications that may be affected by the GDI+ JPEG vulnerability.

What is GDI Scan

A major problem with this vulnerability is that there are 3rd party, non-microsoft, applications that ship with this exploitable DLL. Since Microsoft's update only updates the DLL that came with the Operating System software, you still may be vulnerable from other applications that it does not upgrade. Microsoft released a GDI+ Detection Tool which will scan your computer and tell you if it found any MICROSOFT programs that may be vulnerable. Unfortunately it does not tell you WHAT programs are vulnerable and just directs you back to windows update and office update. Even worse, it does not let you know if any 3rd party software may be affected, leaving you still in the dark.

Because of this Tom Liston, the person who developed the LaBrea Tarpit honeypot software, has created a tool called GDI Scan that will scan a drive on your computer for files that are possibly vulnerable to the GDI+ JPEG exploit. When it has completed scanning the partition it will create a log that will show all possibly vulnerable DLLs found. You can then use this information to determine what programs are affected and then attempt to upgrade these programs so they are no longer vulnerable.

When you run this tool it will scan the partition you specify for any of the following files:

gdiplus.dll (known to be exploitable)

If it finds these files it will attempt to determine if they are vulnerable to the GDI JPEG exploit. If they are, they will be listed in red in the resulting log file.

It is important to note that the previously listed DLLs can be found in more than one location on your hard drive. If they are located in multiple locations on your computer, the program will check the following locations for the DLL, in this order, and if found uses the DLL it finds first:

  1. Loads the DLL from the same directory the application is installed
  2. Loads the DLL from the current working directory you ran the program from.
  3. Windows 95/98/ME will load it from the c:\windows\system directory
  4. Windows NT/2000/XP/2003 will load it from c:\windows\system32
  5. Windows NT/2000/XP/2003 will load it from c:\windows\system
  6. The Windows directory (\windows)
  7. Any directories that are listed in the PATH environment variable.

It is therefore possible for the operating system to be properly patched, but for a copy of the exploitable DLL to still be found elsewhere in your computer, which still allows for the vulnerability.

How to use GDI Scan

Step 1: Download GUI version of gdiscan.exe

You can download GDI Scan from the following link:

Download the GUI version to a location you will remember later.

Step 2: Run gdiscan.exe

Once it is downloaded, double-click on gdiscan.exe and a screen similar to the one below will appear:

Start GDIScan
Figure 1: Start GDIScan

First select the drive, designated by the green box in Figure 1, you would like to scan. Once the drive you want to scan is selected, press the Scan button designated by the red box in Figure 1. The program will now scan the drive letter you specified for any copies of the gdiplus.dll, and associated DLLSs, and display them for you as shown in Figure 2 below.

GDIScan.exe Results
Figure 2: GDIScan.exe Results

You can then click on the Clipboard button, designated by the red box, to copy the contents of the results to your clipboard. Then paste the results into a notepad or other document that you can refer back to later.

For Windows 95/98/ME Users

It is important to note that this application was designed specifically for XP,2000, or NT. This does not mean, though, that you can not use it in Windows 95, 98, or ME. In order to view the results properly we will need to create an RTF (Rich Text Format) document. Run the program as described above and when it is finished scanning your partition follow these steps:

  1. Click on the Clipboard button to copy the contents of the log into memory.
  2. Click on Start, then Run, and type notepad and press the OK button.
  3. When the notepad is open, click on the Edit menu, and then select Paste. The contents of the log should now be in the notepad.
  4. Click on File and then Save As.
  5. When the Save As dialog box opens change the following:
    1. Change the Save In drop down selection box to the Desktop
    2. Change the Save As Type drop down box to All Files.
    3. Enter log.rtf into the File Name field
  6. Press the Save button
  7. Minimize your desktop and you should now see a icon on your desktop called log.rtf. Double-click on this icon and it will either open in Word, if you have it, or Wordpad if you don't. You should now see the proper formatting in the log.

How do I interpret the results

Now that we have this log, I bet you are wondering what you are supposed to do with it. Well as of right now, the only DLL that we know for sure is exploitable is the gdiplus.dll. So we focus on those listings that contain that DLL and are the proper version or lower.

If it states that it finds DLLs in directories like Windows\$NtUniinstallKB you can safely ignore them. These directories are created in case you want to uninstall various Microsoft updates. Therefore it would not be strange to see the older DLLs there.

NOTE: Previously I had stated that files found in the \Windows\WinSxS directory could be safely ignored. It has been brought to my attention that this information was actually incorrect. The \Windows\WinSxS directory is where Windows stores it's side-by-side DLLs. Side-by-side DLLs are used to allow multiple versions of the same DLL to exist in Windows at the same time. The Operating System maintains a list of which applications use which side-by-side DLL. This allows different versions of the same DLL to coexist on the same computer and have multiple applications share them. Therefore if you see outdated DLLs found here you may want to see if they can be updated via OfficeUpdate, Windows Update, or replacing it with the redistributable. As always make a backup copy first of the DLL found in the \WinSxS first. - Thanks to Donald Smith for the clarification.

Lets take an example from the log above and see how we can interpret the results:

Exploitable DLLs
Figure 3: Exploitable DLLs that were found

As you can see from the above figure, gdiscan found two exploitable copies of gdiplus.dll on my machine. One is in the FolderSizes directory and the other is in the WS_FTP Pro directory. I now know that I need to visit the web sites of these applications and see if there are any updates available. If there are, we download them, install them, and hope they fix the problem, which we can check by running gdiscan.exe again after the installation is complete. If the problem still exists, then you should contact the software manufacturer and explain the situation.

Another workaround may be to download the latest gdiplus.dll from Microsoft. This fix may cause problems with your software if the developers of that software added extra functionality into their copy of the gdiplus.dll. Therefore, please make a backup of the existing gdiplus.dll before you do this method.

You can download this file from the following link:

Platform SDK Redistributable: GDI+

When you download this file, run it and extract the files to c:\gdiplus. Then navigate to c:\gdiplus, and you will find it contains the DLL, gdiplus.dll. Simply copy this DLL over the known exploitable one from the log to replace it. Now that you have replaced that program's gdiplus.dll it should not be exploitable.


Now that you know how to check your system for GDI+ JPEG exploit it is advisable that you do so immediately. At the time of this writing more reports are coming out about tools and sample code to take advantage of this vulnerability. The sooner you run this tool and fix any of the exploitable copies of this DLL on your system, the safer you will be.

Lawrence Abrams
Bleeping Computer Advanced Internet Security Concepts Computer Support & Tutorials for the beginning computer user.


Users who read this also read:

  • How to remove Home Search Assistant - CWS_NS3 - Only the Best Hijacker Image
    How to remove Home Search Assistant - CWS_NS3 - Only the Best Hijacker

    There is a new CoolWebSearch browser hijacker infection that has become very common lately. Symptoms of this infection include your computer becoming slower, popups, and when you start Internet Explorer your web page gets redirected to a site that has a title of Home Search.

  • How to change or select which program starts when you double-click a file in Windows 8 Image
    How to change or select which program starts when you double-click a file in Windows 8

    When you double-click on a file in Windows 8, Windows will automatically open that file using a program that has been associated with that file's extension. There may come a time, though, that you wish you to use a different program to open a file rather than use the one that is set as the default in Windows. This tutorial will discuss how to assign a different program to a file extension so ...

  • Tracing a hacker Image
    Tracing a hacker

    Have you ever been connected to your computer when something strange happens? A CD drive opens on its own, your mouse moves by itself, programs close without any errors, or your printer starts printing out of nowhere? When this happens, one of the first thoughts that may pop into your head is that someone has hacked your computer and is playing around with you. Then you start feeling anger tinged ...

  • Safely Connecting a Computer to the Internet Image
    Safely Connecting a Computer to the Internet

    It is exciting to get a new computer. Think of all the applications and games you can now run, the music you can store, and the pictures you can share with friends. Your new computer is delivered, you quickly unpack it, and start plugging it all in. The computer boots up, the desktop appears, and just by clicking on your web browser icon you are suddenly connected to the wide world of the Internet ...

  • How to remove a Trojan, Virus, Worm, or other Malware Image
    How to remove a Trojan, Virus, Worm, or other Malware

    If you use a computer, read the newspaper, or watch the news, you will know about computer viruses or other malware. These are those malicious programs that once they infect your machine will start causing havoc on your computer. What many people do not know is that there are many different types of infections that are categorized in the general category of Malware.



blog comments powered by Disqus
search tutorials


Remember Me
Sign in anonymously