[41880] in bugtraq
Re: WMF Exploit
daemon@ATHENA.MIT.EDU (Paul Laudanski)
Fri Dec 30 17:35:08 2005
Date: Fri, 30 Dec 2005 15:40:55 -0500 (EST)
From: Paul Laudanski <zx@castlecops.com>
To: Bill Busby <williambusby2001@yahoo.com>
Cc: "Hayes, Bill" <Bill.Hayes@owh.com>, <davidribyrne@yahoo.com>,
<bugtraq@securityfocus.com>
In-Reply-To: <20051229213436.33047.qmail@web90009.mail.scd.yahoo.com>
Message-ID: <Pine.LNX.4.44.0512301538130.15122-100000@bugsbunny.castlecops.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 29 Dec 2005, Bill Busby wrote:
> It is not only *.wmf extensions it is all files that
> have windows metafile headers that will open with the
> Windows Picture and Fax Viewer. Any file that has the
> header of a windows metafile can trigger this exploit.
Sunbelt Kerio and Bleeding Snort have put together two rules for this:
alert ip any any -> any any (msg: "COMPANY-LOCAL WMF Exploit"; content:"01
00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00"; content:"00 26 06 0f 00 08
00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00"; reference:
url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php;
sid:2005122802; classtype:attempted-user; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
WMF Escape Record Exploit"; flow:established,from_server; content:"01 00
09 00 00 03"; depth:500; content:"00 00"; distance:10; within:12;
content:"26 06 09 00"; within:5000; classtype:attempted-user;
reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733;
rev:1;)
Simply add it to Sunbelt Kerio's bad-traffic.rlk file, or download it:
http://castlecops.com/p687296-.html#687296
--
Paul Laudanski, Microsoft MVP Windows-Security
[cal] http://events.castlecops.com
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com
[family] http://cuddlesnkisses.com
