WMF Exploit Not Completely Fixed Yet

Discussion in 'other security issues & news' started by sowhat, Jan 10, 2006.

Thread Status:
Not open for further replies.
  1. sowhat
    Offline

    sowhat Registered Member

    MS Windows GRE WMF Format
    a)Multiple Memory Overrun Vulnerabilities and
    b)Multiple Unauthorized Memory Vulnerabilities

    Read here:
    hxxp://www.securityfocus.com/archive/1/421257/30/0/threaded
    hxxp://www.securityfocus.com/archive/1/421258/30/0/threaded

    There 's already a compiled proof of concept floating around,so I suggest to all people to be careful.
    (Admins of the board -and only them of cource- can ask me for a link to it).

    (P.S:Note for avoiding misunderstanding:I did not discovered this vulnerability,
    neither i compiled the PoC personally,furthermore,right now,
    I don't even have the time to test it for myself).
    Last edited: Jan 10, 2006
  2. noway
    Offline

    noway Registered Member

    I had a bit of time to test them on the desktop, assuming it's the file named WMF-DoS.rar that is being discussed at Dslreports. On XPSP2 with KB912919 applied, the file WMF-DoS1.wmf would give an error "Windows Explorer has encountered a problem and needs to close", just by right-clicking on the file. When I pressed close on the error message, the shell automatically restarted. The second file didn't cause this to happen, but both files would give the same error/shutdown of explorer.exe if you clicked on them to open them. I tried regsvr32 /u shimgvw.dll and a reboot, then they gave no errors for right-click or on opening. I associated .jpg files with Irfanview and renamed the WMF-DoS1.wmf to WMF-DoS1.jpg. Irfanview recognized it as a .wmf and asked if I wanted to rename it...I hit cancel and then I got the same error above/explorer crash when Irfanview tried to render it.
  3. sowhat
    Offline

    sowhat Registered Member

    Yes,the file is called WMF_DoS.rar and contains 2 crafted .wmf images.
    I didn't find it on DSLreports,
    so my guess is that it is already spreaded/available in various places.
    I don't have a 2nd box/virtual machine right now,
    so i didn't took a risk of testing it yet.
    It's not the DoS that worries me,
    but the possibility of someone writing/including the appropriate shellcode,
    resulting in a more root-friendly variation.
    Just when i thought this story with .wmf fixes/exploits had ended...

    P.S:I had found a compiled exploit based on the MS05-053 .wmf exploit,
    which I ran against a Win2000 SP4 machine,
    just 2-3 days before MS06-001 was released.
    (Unfortunately i can't recall if that specific machine was patched against that,
    guess i'll have to check that also tomorrow).
    I had about the same results you described,with the difference that,
    explorer.exe crashed/restarted automatically after a few seconds,
    with no error messages what so ever.
    Last edited: Jan 10, 2006
  4. chater
    Offline

    chater Guest

    what is wmf, and if i use firefox does it affect me at all?
  5. Tassie_Devils
    Offline

    Tassie_Devils Global Moderator

    wmf = Windows Metafiles which is a picture format, usually used in MS Office/Publisher Clipart gallary.
    there is a flaw in the header of the format which allows code to be written to and then dl'd and installed into your system...

    However, there is a full run down for best information here: http://castlecops.com/a6445-WMF_Exploit_FAQ.html

    HTH, TAS :)

    edit: and YES, you need to have it patched regardless of browsers.
Thread Status:
Not open for further replies.