Description:
yet another 'windows meta file' (WMF) denial of service exploit.
System affected:
+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003
Tech info:
page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*)
There is some technical details.
1. 'Bad' wmf record:
07 00 00 00
length of record (in words)
FC 02
type (CreateBrushIndirect)
08 00 00 00 00 00 00 80
'packed' (good old Win16 days) LOGBRUSH data:
08 00 - 'packed' lbStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 -
This is probably due to M$ thumbnail generation. You can disable that
and see if it fixes the problem...
[EMAIL PROTECTED] wrote:
I've tested the exploit on XP home and I've found that it does not even need a
single click on my machine. Once the folder containing the file is open (this
was
Hi,
I like what SANS is saying about the current MS announcement to deliver a patch
by Jan 10, 2006, but not earlier:
http://isc.sans.org/diary.php
This is the interesting part:
Although the issue is serious and malicious attacks are being attempted,
Microsoft's intelligence sources indicate
For those interested, Core FORCE its a free endpoint security software
currently in Beta stage. With it users can configure access control
permissions to file system objects independently of the operating
System's ACLs and security policy enforcement mechanisms.
The default security profiles of
On Tue, 3 Jan 2006, Sam Munro wrote:
I haven't seen this mentioned yet so I thought I would give you guys a
heads-up a very good patch has been written by Ilfak
Guilfanovhttp://www.hexblog.com/2005/12/wmf_vuln.html as
a tempory solution until ms get their act together.
Can be downloaded
other client apps. Email me at this address if you want me to send it
out to anyone.
Thanks!
-Original Message-
From: Bill Busby [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 29, 2005 1:35 PM
To: Hayes, Bill; [EMAIL PROTECTED]
Cc: bugtraq@securityfocus.com
Subject: RE: WMF Exploit
Apologies if you've already read this, but this is interesting news:
Apparently shimgvw.dll isn't the problem; according to the Kaspersky
Lab blog, gdi32.dll is.
From http://www.viruslist.com/en/weblog?discuss=176892530return=1
(which talks about an IM worm that uses this):
Going back to the
I've tested the exploit on XP home and I've found that it does not even need a
single click on my machine. Once the folder containing the file is open (this
was in list view) the exploit will run.
Scary sh*t!
On Fri, 2005-12-30 at 15:40 -0500, Paul Laudanski wrote:
alert tcp $EXTERNAL_NET any - $HOME_NET any (msg:BLEEDING-EDGE EXPLOIT
WMF Escape Record Exploit; flow:established,from_server; content:01 00
09 00 00 03; depth:500; content:00 00; distance:10; within:12;
content:26 06 09 00;
, December 30, 2005 3:41 PM
To: Bill Busby
Cc: Hayes, Bill; [EMAIL PROTECTED]; bugtraq@securityfocus.com
Subject: Re: WMF Exploit
On Thu, 29 Dec 2005, Bill Busby wrote:
It is not only *.wmf extensions it is all files that
have windows metafile headers that will open with the
Windows Picture and Fax
-Original Message-
From: Hayes, Bill [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 28, 2005 6:02 PM
To: [EMAIL PROTECTED]
Cc: bugtraq@securityfocus.com
Subject: RE: WMF Exploit
CERT now has posted Vulnerability Note VU#181038, Microsoft
Windows may be vulnerable
@securityfocus.com
Subject: WMF Exploit
Another quick observation, again, I apologize if
this information has
already been posted; I haven't been able to read all
the posts today.
The thumbnail view in Windows Explorer will parse
the graphics files in
a folder, even if the file is never explicitly
have put together two rules for this:
alert ip any any - any any (msg: COMPANY-LOCAL WMF Exploit; content:01
00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00; content:00 26 06 0f 00 08
00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00; reference:
url,www.frsirt.com/exploits/20051228
To: bugtraq@securityfocus.com
Subject: WMF Exploit
Another quick observation, again, I apologize if this information has
already been posted; I haven't been able to read all the posts today.
The thumbnail view in Windows Explorer will parse the graphics files in
a folder, even if the file is never
use c:\regsvr32.exe /u shimgvw.dll
to disable wmf execution
I apologize if this information has already been posted; I havent been able to
read all the posts today. Many of the exploit descriptions that Ive seen
reference .WMF files. Like prior GDI exploits, this isnt strictly true. If the
exploit file is named with another graphics extension (i.e.
Another quick observation, again, I apologize if this information has already
been posted; I havent been able to read all the posts today. The thumbnail
view in Windows Explorer will parse the graphics files in a folder, even if the
file is never explicitly opened. This is enough to trigger
18 matches
Mail list logo