Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Will CSA defend against WMF exploits?

Anyone?

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Will CSA defend against WMF exploits?

We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.

Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.

Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:

http:// sipr.net / test.wmf (Remove spaces in URL)

A really good WMF exploit FAQ is here:

http://isc.sans.org/diary.php?storyid=994

6 REPLIES
Blue

Re: Will CSA defend against WMF exploits?

Executing GDI32.DLL from memory will probably trigger the trojan detection rule. I don't know as I haven't had a "live" site to test with and haven't created a test rule. Even if it doesn't block the vector it will probably block the payload depending on what it is. You could proactively block the payload once it is identified but you would need to be quite vigilant.

Re: Will CSA defend against WMF exploits?

I have just gotten confirmation that the trojan detection rule has successfully stopped this exploit.

Blue

Re: Will CSA defend against WMF exploits?

Cool, thanks Travis

I'm still looking for that live site (or even a test site like they had with GDI+).

Community Member

Re: Will CSA defend against WMF exploits?

Here are some confirmed WMF exploit sites. If you have a non-production system to test CSA out, please be my guest. Let us know if CSA blocks these.

CAUTION, THE FOLLOWING SITES HAVE BEEN CONFIRMED BY VERISIGN TO BE HOSTING MALICIOUS WMF FILES AND SHOULD NOT BE VISITED.

From: SOC [SOC@verisign.com]

Sent: Mon 1/2/2006 12:07 PM

Subject: [VeriSign Security Notification] Microsoft Windows WMF Remote Code Execution Vulnerability Picking up Momemtem!

[Abstract]

The following websites have been confirmed as hosting malicious Windows meta files that exploit this vulnerability. Users should not visit these URLs using production systems:

• crackz.ws

• unionseek.com/d/t1/wmf_exp.htm

• beehappyy.biz/parthner3/xpl.wmf

www.tfcco.com/xpl.wmf

• Iframeurl.biz

• buytoolbar.biz/xpl.wmf

Community Member

Re: Will CSA defend against WMF exploits?

We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.

Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.

Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:

http:// sipr.net / test.wmf (Remove spaces in URL)

A really good WMF exploit FAQ is here:

http://isc.sans.org/diary.php?storyid=994

Community Member

Re: Will CSA defend against WMF exploits?

Nice site - tested it with 4.5.1(639). Only want to mention that it blocks test.wmf as long as you use IE to directly access it.

Try downloading and accessing it from local disk with explorer and you'll get hit, as System API Control rule inside General Application Permissions(all Security Levels) will only work for Network Applications that access functions from a buffer.

After expanding application class from network applications to all applications you are safe again.

Regards,

Arne

205
Views
13
Helpful
6
Replies
CreatePlease to create content