RE: WMF Exploit

To: "Hayes, Bill" <Bill.Hayes@xxxxxxx>, davidribyrne@xxxxxxxxx
Subject: RE: WMF Exploit
From: Bill Busby <williambusby2001@xxxxxxxxx>
Date: Thu, 29 Dec 2005 13:34:36 -0800 (PST)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=MIDgTrdj//l3+23/G2U2snFREIAGe+w2xLhwRTT9VSV3Ul1HcEjGkA0rucV+hGMPPN2GHV+5sUO7ar/WXpdzJuEh3wwAB8/rwcOQTi4B0NGJIo2Mjnl91MGn00yK+MXHOMOsSjZJxjmKq/ZiMHdp7Cwp9fsQb4EVDs6r6pmlSog= ;
In-reply-to: <333B07CC372AC246888DBEC1D4E4168B0814E0DE@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

It is not only *.wmf extensions it is all files that
have windows metafile headers that will open with the
Windows Picture and Fax Viewer.  Any file that has the
header of a windows metafile can trigger this exploit.

--- "Hayes, Bill" <Bill.Hayes@xxxxxxx> wrote:

> CERT now has posted Vulnerability Note VU#181038,
> "Microsoft Windows may
> be vulnerable to buffer overflow via specially
> crafted WMF file"
> (http://www.kb.cert.org/vuls/id/181038). The note
> provides additional
> details about the exploit and its effects. Very few
> workarounds have
> been proposed other than blocking at the perimeter
> and possibly
> remapping the .wmf extension to some application
> other than the
> vulnerable Windows Picture and Fax Viewer
> (SHIMGVU.DLL).
> 
> Bill...
> 
> -----Original Message-----
> From: davidribyrne@xxxxxxxxx
> [mailto:davidribyrne@xxxxxxxxx]
> Sent: Wednesday, December 28, 2005 4:18 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: WMF Exploit
> 
> 
> Another quick observation, again, I apologize if
> this information has
> already been posted; I haven't been able to read all
> the posts today.
> The thumbnail view in Windows Explorer will parse
> the graphics files in
> a folder, even if the file is never explicitly
> opened. This is enough to
> trigger the exploit. Even more frightening is that
> you don't have to use
> the thumbnail view for a thumbnail to be generated.
> Under some
> circumstances, just single-clicking on the file will
> cause it to be
> parsed.
> 
> David Byrne
> 



        
                
__________________________________ 
Yahoo! for Good - Make a difference this year. 
http://brand.yahoo.com/cybergivingweek2005/

Follow-Ups:
- Re: WMF Exploit
  - From: Paul Laudanski

References:
- RE: WMF Exploit
  - From: Hayes, Bill

Prev by Date: WMF browser-ish exploit vectors
Next by Date: [KAPDA::#18] - WebWiz Products SQL Injection
Previous by thread: RE: WMF Exploit
Next by thread: Re: WMF Exploit
Index(es):
- Date
- Thread