Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: * New exploit released for the WMF vulnerability - YELLOW - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
* New exploit released for the WMF vulnerability - YELLOW
On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.
 
The exploit generates files:
  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.

Considering this upsets all defenses people have in place we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

--
Swa Frantzen
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!