WMF Exploit Not Completely Fixed Yet

MS Windows GRE WMF Format
a)Multiple Memory Overrun Vulnerabilities and
b)Multiple Unauthorized Memory Vulnerabilities

Read here:
hxxp://www.securityfocus.com/archive/1/421257/30/0/threaded
hxxp://www.securityfocus.com/archive/1/421258/30/0/threaded

There 's already a compiled proof of concept floating around,so I suggest to all people to be careful.
(Admins of the board -and only them of cource- can ask me for a link to it).

(P.S:Note for avoiding misunderstanding:I did not discovered this vulnerability,
neither i compiled the PoC personally,furthermore,right now,
I don't even have the time to test it for myself).

 

I had a bit of time to test them on the desktop, assuming it's the file named WMF-DoS.rar that is being discussed at Dslreports. On XPSP2 with KB912919 applied, the file WMF-DoS1.wmf would give an error "Windows Explorer has encountered a problem and needs to close", just by right-clicking on the file. When I pressed close on the error message, the shell automatically restarted. The second file didn't cause this to happen, but both files would give the same error/shutdown of explorer.exe if you clicked on them to open them. I tried regsvr32 /u shimgvw.dll and a reboot, then they gave no errors for right-click or on opening. I associated .jpg files with Irfanview and renamed the WMF-DoS1.wmf to WMF-DoS1.jpg. Irfanview recognized it as a .wmf and asked if I wanted to rename it...I hit cancel and then I got the same error above/explorer crash when Irfanview tried to render it.

 

Yes,the file is called WMF_DoS.rar and contains 2 crafted .wmf images.
I didn't find it on DSLreports,
so my guess is that it is already spreaded/available in various places.
I don't have a 2nd box/virtual machine right now,
so i didn't took a risk of testing it yet.
It's not the DoS that worries me,
but the possibility of someone writing/including the appropriate shellcode,
resulting in a more root-friendly variation.
Just when i thought this story with .wmf fixes/exploits had ended...

P.S:I had found a compiled exploit based on the MS05-053 .wmf exploit,
which I ran against a Win2000 SP4 machine,
just 2-3 days before MS06-001 was released.
(Unfortunately i can't recall if that specific machine was patched against that,
guess i'll have to check that also tomorrow).
I had about the same results you described,with the difference that,
explorer.exe crashed/restarted automatically after a few seconds,
with no error messages what so ever.

 

what is wmf, and if i use firefox does it affect me at all?

 

wmf = Windows Metafiles which is a picture format, usually used in MS Office/Publisher Clipart gallary.
there is a flaw in the header of the format which allows code to be written to and then dl'd and installed into your system...

However, there is a full run down for best information here: http://castlecops.com/a6445-WMF_Exploit_FAQ.html

HTH, TAS

edit: and YES, you need to have it patched regardless of browsers.