×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Will CSA defend against WMF exploits?

Answered Question
Jan 3rd, 2006
User Badges:

Anyone?

Correct Answer by jeff.roback about 11 years 7 months ago

We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.


Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.


Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:

http:// sipr.net / test.wmf (Remove spaces in URL)


A really good WMF exploit FAQ is here:

http://isc.sans.org/diary.php?storyid=994





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (5 ratings)
Loading.
tsteger1 Tue, 01/03/2006 - 21:43
User Badges:
  • Red, 2250 points or more

Executing GDI32.DLL from memory will probably trigger the trojan detection rule. I don't know as I haven't had a "live" site to test with and haven't created a test rule. Even if it doesn't block the vector it will probably block the payload depending on what it is. You could proactively block the payload once it is identified but you would need to be quite vigilant.



travis-dennis_2 Wed, 01/04/2006 - 07:30
User Badges:
  • Gold, 750 points or more

I have just gotten confirmation that the trojan detection rule has successfully stopped this exploit.

tsteger1 Wed, 01/04/2006 - 10:47
User Badges:
  • Red, 2250 points or more

Cool, thanks Travis


I'm still looking for that live site (or even a test site like they had with GDI+).



theotang Wed, 01/04/2006 - 13:33
User Badges:

Here are some confirmed WMF exploit sites. If you have a non-production system to test CSA out, please be my guest. Let us know if CSA blocks these.



CAUTION, THE FOLLOWING SITES HAVE BEEN CONFIRMED BY VERISIGN TO BE HOSTING MALICIOUS WMF FILES AND SHOULD NOT BE VISITED.



From: SOC [SOC@verisign.com]

Sent: Mon 1/2/2006 12:07 PM

Subject: [VeriSign Security Notification] Microsoft Windows WMF Remote Code Execution Vulnerability Picking up Momemtem!


[Abstract]


The following websites have been confirmed as hosting malicious Windows meta files that exploit this vulnerability. Users should not visit these URLs using production systems:

• crackz.ws

• unionseek.com/d/t1/wmf_exp.htm

• beehappyy.biz/parthner3/xpl.wmf

• www.tfcco.com/xpl.wmf

• Iframeurl.biz

• buytoolbar.biz/xpl.wmf


Correct Answer
jeff.roback Sun, 01/08/2006 - 16:13
User Badges:

We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.


Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.


Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:

http:// sipr.net / test.wmf (Remove spaces in URL)


A really good WMF exploit FAQ is here:

http://isc.sans.org/diary.php?storyid=994





Attachment: 
aduerr Mon, 01/16/2006 - 06:57
User Badges:

Nice site - tested it with 4.5.1(639). Only want to mention that it blocks test.wmf as long as you use IE to directly access it.

Try downloading and accessing it from local disk with explorer and you'll get hit, as System API Control rule inside General Application Permissions(all Security Levels) will only work for Network Applications that access functions from a buffer.

After expanding application class from network applications to all applications you are safe again.


Regards,

Arne

Actions

This Discussion