WMF Exploit Not Completely Fixed Yet

Discussion in 'other security issues & news' started by sowhat, Jan 10, 2006.

Thread Status:
Not open for further replies.
  1. sowhat

    sowhat Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    31
    MS Windows GRE WMF Format
    a)Multiple Memory Overrun Vulnerabilities and
    b)Multiple Unauthorized Memory Vulnerabilities

    Read here:
    hxxp://www.securityfocus.com/archive/1/421257/30/0/threaded
    hxxp://www.securityfocus.com/archive/1/421258/30/0/threaded

    There 's already a compiled proof of concept floating around,so I suggest to all people to be careful.
    (Admins of the board -and only them of cource- can ask me for a link to it).

    (P.S:Note for avoiding misunderstanding:I did not discovered this vulnerability,
    neither i compiled the PoC personally,furthermore,right now,
    I don't even have the time to test it for myself).
     
    Last edited: Jan 10, 2006
  2. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    462
    I had a bit of time to test them on the desktop, assuming it's the file named WMF-DoS.rar that is being discussed at Dslreports. On XPSP2 with KB912919 applied, the file WMF-DoS1.wmf would give an error "Windows Explorer has encountered a problem and needs to close", just by right-clicking on the file. When I pressed close on the error message, the shell automatically restarted. The second file didn't cause this to happen, but both files would give the same error/shutdown of explorer.exe if you clicked on them to open them. I tried regsvr32 /u shimgvw.dll and a reboot, then they gave no errors for right-click or on opening. I associated .jpg files with Irfanview and renamed the WMF-DoS1.wmf to WMF-DoS1.jpg. Irfanview recognized it as a .wmf and asked if I wanted to rename it...I hit cancel and then I got the same error above/explorer crash when Irfanview tried to render it.
     
  3. sowhat

    sowhat Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    31
    Yes,the file is called WMF_DoS.rar and contains 2 crafted .wmf images.
    I didn't find it on DSLreports,
    so my guess is that it is already spreaded/available in various places.
    I don't have a 2nd box/virtual machine right now,
    so i didn't took a risk of testing it yet.
    It's not the DoS that worries me,
    but the possibility of someone writing/including the appropriate shellcode,
    resulting in a more root-friendly variation.
    Just when i thought this story with .wmf fixes/exploits had ended...

    P.S:I had found a compiled exploit based on the MS05-053 .wmf exploit,
    which I ran against a Win2000 SP4 machine,
    just 2-3 days before MS06-001 was released.
    (Unfortunately i can't recall if that specific machine was patched against that,
    guess i'll have to check that also tomorrow).
    I had about the same results you described,with the difference that,
    explorer.exe crashed/restarted automatically after a few seconds,
    with no error messages what so ever.
     
    Last edited: Jan 10, 2006
  4. chater

    chater Guest

    what is wmf, and if i use firefox does it affect me at all?
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    wmf = Windows Metafiles which is a picture format, usually used in MS Office/Publisher Clipart gallary.
    there is a flaw in the header of the format which allows code to be written to and then dl'd and installed into your system...

    However, there is a full run down for best information here: http://castlecops.com/a6445-WMF_Exploit_FAQ.html

    HTH, TAS :)

    edit: and YES, you need to have it patched regardless of browsers.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.