0-day XP SP2 wmf exploit

2006-08-07 Thread cyanid-E
Description: yet another 'windows meta file' (WMF) denial of service exploit. System affected: + Windows XP SP2, + Windows 2003 SP1, + Windows XP SP1, + Windows XP + Windows 2003 Tech info: page fault in gdi32!CreateBrushIndirect() because invalid pointer access. Incorrect (short) to (void*)

0-day XP SP2 wmf exploit (some details)

2006-08-07 Thread cyanid-E
There is some technical details. 1. 'Bad' wmf record: 07 00 00 00 length of record (in words) FC 02 type (CreateBrushIndirect) 08 00 00 00 00 00 00 80 'packed' (good old Win16 days) LOGBRUSH data: 08 00 - 'packed' lbStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8]) 00 00 00 00 -

Re: WMF Exploit

2006-01-05 Thread Joshua
This is probably due to M$ thumbnail generation. You can disable that and see if it fixes the problem... [EMAIL PROTECTED] wrote: I've tested the exploit on XP home and I've found that it does not even need a single click on my machine. Once the folder containing the file is open (this was

WMF exploit

2006-01-04 Thread Andreas Marx
Hi, I like what SANS is saying about the current MS announcement to deliver a patch by Jan 10, 2006, but not earlier: http://isc.sans.org/diary.php This is the interesting part: Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate

Another WMF exploit workaround

2006-01-04 Thread Ivan Arce
For those interested, Core FORCE its a free endpoint security software currently in Beta stage. With it users can configure access control permissions to file system objects independently of the operating System's ACLs and security policy enforcement mechanisms. The default security profiles of

Re: WMF Exploit

2006-01-04 Thread Paul Laudanski
On Tue, 3 Jan 2006, Sam Munro wrote: I haven't seen this mentioned yet so I thought I would give you guys a heads-up a very good patch has been written by Ilfak Guilfanovhttp://www.hexblog.com/2005/12/wmf_vuln.html as a tempory solution until ms get their act together. Can be downloaded

RE: WMF Exploit

2006-01-04 Thread Discussion Lists
other client apps. Email me at this address if you want me to send it out to anyone. Thanks! -Original Message- From: Bill Busby [mailto:[EMAIL PROTECTED] Sent: Thursday, December 29, 2005 1:35 PM To: Hayes, Bill; [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com Subject: RE: WMF Exploit

Re: WMF Exploit

2006-01-03 Thread Justin Myers
Apologies if you've already read this, but this is interesting news: Apparently shimgvw.dll isn't the problem; according to the Kaspersky Lab blog, gdi32.dll is. From http://www.viruslist.com/en/weblog?discuss=176892530return=1 (which talks about an IM worm that uses this): Going back to the

Re: RE: WMF Exploit

2006-01-03 Thread grasshopa
I've tested the exploit on XP home and I've found that it does not even need a single click on my machine. Once the folder containing the file is open (this was in list view) the exploit will run. Scary sh*t!

Re: WMF Exploit

2006-01-03 Thread Frank Knobbe
On Fri, 2005-12-30 at 15:40 -0500, Paul Laudanski wrote: alert tcp $EXTERNAL_NET any - $HOME_NET any (msg:BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit; flow:established,from_server; content:01 00 09 00 00 03; depth:500; content:00 00; distance:10; within:12; content:26 06 09 00;

RE: WMF Exploit

2006-01-03 Thread Paul
, December 30, 2005 3:41 PM To: Bill Busby Cc: Hayes, Bill; [EMAIL PROTECTED]; bugtraq@securityfocus.com Subject: Re: WMF Exploit On Thu, 29 Dec 2005, Bill Busby wrote: It is not only *.wmf extensions it is all files that have windows metafile headers that will open with the Windows Picture and Fax

RE: WMF Exploit

2005-12-30 Thread Derick Anderson
-Original Message- From: Hayes, Bill [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 28, 2005 6:02 PM To: [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com Subject: RE: WMF Exploit CERT now has posted Vulnerability Note VU#181038, Microsoft Windows may be vulnerable

RE: WMF Exploit

2005-12-30 Thread Bill Busby
@securityfocus.com Subject: WMF Exploit Another quick observation, again, I apologize if this information has already been posted; I haven't been able to read all the posts today. The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never explicitly

Re: WMF Exploit

2005-12-30 Thread Paul Laudanski
have put together two rules for this: alert ip any any - any any (msg: COMPANY-LOCAL WMF Exploit; content:01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00; content:00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00; reference: url,www.frsirt.com/exploits/20051228

RE: WMF Exploit

2005-12-29 Thread Hayes, Bill
To: bugtraq@securityfocus.com Subject: WMF Exploit Another quick observation, again, I apologize if this information has already been posted; I haven't been able to read all the posts today. The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never

WMF exploit

2005-12-29 Thread ninjapicook
use c:\regsvr32.exe /u shimgvw.dll to disable wmf execution

WMF Exploit

2005-12-28 Thread davidribyrne
I apologize if this information has already been posted; I haven’t been able to read all the posts today. Many of the exploit descriptions that I’ve seen reference .WMF files. Like prior GDI exploits, this isn’t strictly true. If the exploit file is named with another graphics extension (i.e.

WMF Exploit

2005-12-28 Thread davidribyrne
Another quick observation, again, I apologize if this information has already been posted; I haven’t been able to read all the posts today. The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never explicitly opened. This is enough to trigger