01-03-2006 09:14 PM - edited 03-09-2019 01:31 PM
01-08-2006 04:13 PM
We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.
Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.
Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:
http:// sipr.net / test.wmf (Remove spaces in URL)
A really good WMF exploit FAQ is here:
http://isc.sans.org/diary.php?storyid=994
01-03-2006 09:43 PM
Executing GDI32.DLL from memory will probably trigger the trojan detection rule. I don't know as I haven't had a "live" site to test with and haven't created a test rule. Even if it doesn't block the vector it will probably block the payload depending on what it is. You could proactively block the payload once it is identified but you would need to be quite vigilant.
01-04-2006 07:30 AM
I have just gotten confirmation that the trojan detection rule has successfully stopped this exploit.
01-04-2006 10:47 AM
Cool, thanks Travis
I'm still looking for that live site (or even a test site like they had with GDI+).
01-04-2006 01:33 PM
Here are some confirmed WMF exploit sites. If you have a non-production system to test CSA out, please be my guest. Let us know if CSA blocks these.
CAUTION, THE FOLLOWING SITES HAVE BEEN CONFIRMED BY VERISIGN TO BE HOSTING MALICIOUS WMF FILES AND SHOULD NOT BE VISITED.
From: SOC [SOC@verisign.com]
Sent: Mon 1/2/2006 12:07 PM
Subject: [VeriSign Security Notification] Microsoft Windows WMF Remote Code Execution Vulnerability Picking up Momemtem!
[Abstract]
The following websites have been confirmed as hosting malicious Windows meta files that exploit this vulnerability. Users should not visit these URLs using production systems:
crackz.ws
unionseek.com/d/t1/wmf_exp.htm
beehappyy.biz/parthner3/xpl.wmf
Iframeurl.biz
buytoolbar.biz/xpl.wmf
01-08-2006 04:13 PM
We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.
Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.
Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:
http:// sipr.net / test.wmf (Remove spaces in URL)
A really good WMF exploit FAQ is here:
http://isc.sans.org/diary.php?storyid=994
01-16-2006 06:57 AM
Nice site - tested it with 4.5.1(639). Only want to mention that it blocks test.wmf as long as you use IE to directly access it.
Try downloading and accessing it from local disk with explorer and you'll get hit, as System API Control rule inside General Application Permissions(all Security Levels) will only work for Network Applications that access functions from a buffer.
After expanding application class from network applications to all applications you are safe again.
Regards,
Arne
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide