Re: Detecting new Windows .jpeg exploit

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <B926F412791ED611BD6400306E1C164702DB7061 () wpg112ex2 gov mb ca>

> What I'd like to know is how we can scan a fairly large network for
> vulnerable machines.  

[snip]

> Is there any way known at this time to detect if a computer is 
> vulnerable?

To be honest, I'm not sure what it is you're looking for...while your subject line states that you want to detect the 
exploit, your post asks about detecting the vulnerability.

Which is it?

If you want to detect the vulnerability, it's relatively trivial.  MBSA comes to mind, as does WMI.  For WMI, use the 
Win32_QuickFixEngineering class to enumerate all of the installed patches, and if the patch in question does not appear 
in the list, then you can assume that it wasn't installed.

Another option would be to obtain file version information from gdiplus.dll on an unpatched machine, and then compare 
that to that from a patched machine.  Then write a Perl script to connect to each system as a domain admin and pull the 
file version information from that file.  Any system on which the file versioning information does not equal what you 
found on the patched system should be considered vulnerable.

I hope that helps...

Harlan


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------