The Graphics Rendering Engine in Microsoft Windows 2000 through 2000 SP4 and Windows XP through SP2 maps GDI Kernel structures on a global shared memory section that is mapped with read-only permissions, but can be remapped by other processes as read-write, which allows local users to cause a denial of service (memory corruption and crash) and gain privileges by modifying the kernel structures.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.vupen.com/english/advisories/2007/1215 | vdb entry vendor advisory |
| http://kernelwars.blogspot.com/2007/01/alive.html | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2056 | vdb entry signature |
| http://www.blackhat.com/html/bh-europe-07/bh-eu-07-speakers.html#Eriksson | |
| http://www.vupen.com/english/advisories/2006/4358 | vdb entry vendor advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/30042 | vdb entry |
| http://www.securityfocus.com/archive/1/466186/100/200/threaded | vendor advisory |
| http://projects.info-pull.com/mokb/MOKB-06-11-2006.html | |
| http://securitytracker.com/id?1017168 | vdb entry |
| http://www.securityfocus.com/bid/20940 | vdb entry exploit |
| https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017 | vendor advisory |
| http://secunia.com/advisories/22668 | third party advisory vendor advisory |