Some tests for wmf exploits by ZOverLord at DSLR

Discussion in 'other security issues & news' started by Tassie_Devils, Jan 6, 2006.

Thread Status:
Not open for further replies.
  1. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi guys... during my cruising, I found a very good post and test at DSLReports courtesy of ZOverLord

    Here: http://www.dslreports.com/forum/remark,15115819~days=9999~start=780#15175208

    you can do online and offline testing with version 1.16 tests.

    A newer version of 1.17, but not all online links are listed is here: http://www.dslreports.com/forum/remark,15115819~days=9999~start=840#15182764

    He used various picture format extensions, all with the 'exploit' in it [test, harmless].

    there is a zip file to download containing the 'images' so when you try to open them, you should not be able to see them.

    I had a bit of trouble downloading the zip, as KAV kept trying to kick in, took a bit to bypass it [did not want to disable it altogether, set it to report only and had to retry the download 2 times in FF :shifty: ]

    After I downloaded, I disabled traffic via Firewall, then disabled KAV, so I could unzip and try the tests without KAV kicking in each/every time.

    The normal files like gif/wmf/jpeg/bmp/emf tried to open in Picture/Fax viewer, but come up with 'No preview available' ~ GOOD

    Then when I tried the .tif and .png files, which I have associated with Photoshop, PS opened, but I then got the message [see pic] ~ GOOD.

    turned KAV back on and it did it's thing :cautious:

    Cheers, TAS
     

    Attached Files:

    • 094.GIF
      094.GIF
      File size:
      5.5 KB
      Views:
      22
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    btw, this is list of files contained in zip. From Quarantine in KAV.

    TAS
     

    Attached Files:

  3. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    If you've applied the MS patch (or left Ilfak's in place), then the graphics rendering engine can't be exploited by the WMF code because the function no longer exists. I'm not sure why you'd be testing for something that is gone?
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    As I was climbing up the stair,
    I met a man who wasn't there.
    He wasn't there again today.
    I really wish he'd go away.
    :D :) :D
     
Loading...
Thread Status:
Not open for further replies.