Penetration Testing mailing list archives
Re: New article on SecurityFocus
From: H D Moore <sflist () digitaloffense net>
Date: Wed, 4 Jan 2006 22:20:47 -0600
On Wednesday 04 January 2006 19:49, Erin Carroll wrote:
Out of curiousity has anyone done any testing against the new signatures to determine if they are code specific or if tricks like tagging %0%0 in the payload bypasses them?
All of the current IDS/AV signatures are based on the following pattern: (All values below are in hex) --- [ any number of bytes ] (01 or 02) + 00 + 09 + 00 [ any number of bytes ] 26 + 09 + 00 --- This is based on the last answer to my yet-unpublished (so much for that), WMF exploit FAQ: --- Q) The Windows Meta File format has a number of optional headers, can any of these be used to trigger the arbitrary code execution flaw via SetAbortProc? A) No. The CLP headers (16 bit and 32 bit) cause the Picture and Fax Viewer (PFV) and Internet Explorer to throw an error when trying to render the image. Internet Explorer will only display an image internally if the "placeable" header has been prepend to the bare WMF header. If the placeable header exists, a device context check will fail during the call to Escape() and the SetAbortProc() function is not reached. This effectively prevents IE or the PFV from executing the SetAbortProc() call when any optional header has been prepended. This may not hold true for Explorer's preview and icon view. Q) What about the Enhanced Meta File format? Does this format allow access to the exploitable function? A) No. The EMF format has a separate API (which may or may not have its own problems), but it does not allow access to the WMF Escape() function. A WMF file can be delivered with the EMF extension however, which will cause it to be processed with the vulnerable API. Q) Are there any other ways to obtain code execution besides via WMF files viewed by PFV or Explorer? A) Yes. Any application that accepts WMF files and calls PlayMetaFile with the supplied data can be exploited. Some of these only recognize WMF files with the placeable header, which may prevent the application from reaching the SetAbortProc function. There are *many* other places where standard (ie. included with the OS) applications call the PlayMetaFile function, its just a matter of figuring out which ones can be used to deliver the malicious WMF content. A potential vector includes the icons stored inside of a standard executable. Viewing these files in an Explorer directory listing could result in the execution of code in an embedded WMF file. This has yet to be tested. Q) What WMF header fields are mandatory for code execution through the PFV ? A) Not many. The Windows Meta File header and possible field values are listed below: # Possible values: 1 or 2 (memory or disk) WORD FileType # The HeaderSizt must always be 9 WORD HeaderSize; # The Version field can be 0x0300 or 0x0100 WORD Version # This parameter can be anywhere from 0x20 to 0xffffffff DWORD FileSize # Completely arbitrary WORD NumOfObjects # Completely arbitrary DWORD MaxRecordSize # Completely arbitrary WORD NumOfParams The MSB of the actual MetaFileRecord function is completely ignored. -HD ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- New article on SecurityFocus Erin Carroll (Jan 04)
- Re: New article on SecurityFocus H D Moore (Jan 04)
- Re: New article on SecurityFocus Alexander Sotirov (Jan 07)
- Re: New article on SecurityFocus Thor (Hammer of God) (Jan 05)
- <Possible follow-ups>
- RE: New article on SecurityFocus Phillips Williams (Jan 05)
- RE: New article on SecurityFocus (.WMF Vuln) Corey Watts-Jones (Jan 06)
- Re: New article on SecurityFocus Thor (Hammer of God) (Jan 07)
- RE: New article on SecurityFocus Navroz Shariff (Jan 06)
- RE: New article on SecurityFocus Brady McClenon (Jan 06)
- RE: New article on SecurityFocus Larry Seltzer (Jan 06)
- RE: New article on SecurityFocus Erin Carroll (Jan 06)
- Re: New article on SecurityFocus Socrates (Jan 07)
- RE: New article on SecurityFocus Larry Seltzer (Jan 06)
(Thread continues...)
- Re: New article on SecurityFocus H D Moore (Jan 04)