http://isc.sans.org/diary.php?storyid=972
Windows WMF 0-day exploit in the wild (NEW)
Published: 2005-12-28,
Last Updated: 2005-12-28 03:56:13 UTC by Daniel Wesemann (Version: 1)
Just when we thought that this will be another slow day, a link to a
working unpatched exploit in, what looks like Windows Graphics Rendering
Engine, has been posted to Bugtraq.
The posted URL is [ uni on seek. com/ d/t 1/ wmf_exp. htm ]
(DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid
accidental clicking. See Firefox note below!!)
The HTML file runs another WMF (Windows Meta File) which executes a
trojan dropper on a fully patched Windows XP SP2 machine. The dropper
will then download Winhound, a fake anti-spyware/virus program which
asks user to purchase a registered version of software in order to
remove the reported threats.
During the test Johannes ran, it was interesting that the DEP (Data
Execution Prevention) on his system stopped this from working. However,
as this was tested on a AMD64 machine, we still have to confirm whether
(or not) the software DEP also stops this - let us know if you tested
this.
Internet Explorer will automatically launch the "Windows Picture and Fax
Viewer". Note that Firefox users are not totally imune either. In my
install of Firefox, a dialog box will ask me if I would like to load the
image in "Windows Picture and Fax Viewer". If I allow this to happen
("pictures are safe after all" NOT!), the exploit will execute.
> -----Original Message-----
> From: noemailpls@xxxxxxxxxxxxx [mailto:noemailpls@xxxxxxxxxxxxx]
> Sent: Tuesday, December 27, 2005 11:20 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Is this a new exploit?
>
> Warning the following URL successfully exploited a fully
> patched windows xp system with a freshly updated norton anti virus.
>
> unionseek.com/d/t1/wmf_exp.htm
>
> The url runs a .wmf and executes the virus, f-secure will
> pick up the virus norton will not.
>