RE: WMF Exploit

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: WMF Exploit
From: "Discussion Lists" <discussions@xxxxxxxxxxxxxx>
Date: Fri, 30 Dec 2005 15:45:49 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcYNej67ymirnV20TDasYe5v6GMpUgAIFdwA
Thread-topic: WMF Exploit

All,
I think I was able to get the SAFER mechanism to block this for IE, and
any program covered under it.  I know that there are other workarounds,
but I have found the SAFER approach has stopped every one of these sorts
of attacks.  I have a vbscript that activates SAFER for IE, and various
other client apps.  Email me at this address if you want me to send it
out to anyone.

Thanks!

> -----Original Message-----
> From: Bill Busby [mailto:williambusby2001@xxxxxxxxx] 
> Sent: Thursday, December 29, 2005 1:35 PM
> To: Hayes, Bill; davidribyrne@xxxxxxxxx
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: WMF Exploit
> 
> 
> It is not only *.wmf extensions it is all files that
> have windows metafile headers that will open with the
> Windows Picture and Fax Viewer.  Any file that has the
> header of a windows metafile can trigger this exploit.
> 
> --- "Hayes, Bill" <Bill.Hayes@xxxxxxx> wrote:
> 
> > CERT now has posted Vulnerability Note VU#181038,
> > "Microsoft Windows may
> > be vulnerable to buffer overflow via specially
> > crafted WMF file"
> > (http://www.kb.cert.org/vuls/id/181038). The note
> > provides additional
> > details about the exploit and its effects. Very few workarounds have
> > been proposed other than blocking at the perimeter
> > and possibly
> > remapping the .wmf extension to some application
> > other than the
> > vulnerable Windows Picture and Fax Viewer
> > (SHIMGVU.DLL).
> > 
> > Bill...
> > 
> > -----Original Message-----
> > From: davidribyrne@xxxxxxxxx
> > [mailto:davidribyrne@xxxxxxxxx]
> > Sent: Wednesday, December 28, 2005 4:18 PM
> > To: bugtraq@xxxxxxxxxxxxxxxxx
> > Subject: WMF Exploit
> > 
> > 
> > Another quick observation, again, I apologize if
> > this information has
> > already been posted; I haven't been able to read all
> > the posts today.
> > The thumbnail view in Windows Explorer will parse
> > the graphics files in
> > a folder, even if the file is never explicitly
> > opened. This is enough to
> > trigger the exploit. Even more frightening is that
> > you don't have to use
> > the thumbnail view for a thumbnail to be generated.
> > Under some
> > circumstances, just single-clicking on the file will
> > cause it to be
> > parsed.
> > 
> > David Byrne
> > 
> 
> 
> 
>       
>               
> __________________________________ 
> Yahoo! for Good - Make a difference this year. 
> http://brand.yahoo.com/cybergivingweek2005/
>

Prev by Date: MDKSA-2005:239 - Updated printer-filters-utils packages fix local vulnerability
Next by Date: Re: WMF browser-ish exploit vectors
Previous by thread: Re: WMF Exploit
Next by thread: PhpDocumentor <= 1.3.0 rc4 Arbitrary remote/local inclusion
Index(es):
- Date
- Thread