This is sorta scary…

Posted by on January 9, 2006

This is sorta scary.

authored by none other than Mr. Metasploit his own self.

Q) Are there any other ways to obtain code execution besides via WMF files
viewed by PFV or Explorer?

A) Yes. Any application that accepts WMF files and calls PlayMetaFile with
the supplied data can be exploited. Some of these only recognize WMF
files with the placeable header, which may prevent the application from
reaching the SetAbortProc function. There are *many* other places where
standard (ie. included with the OS) applications call the PlayMetaFile
function, its just a matter of figuring out which ones can be used to
deliver the malicious WMF content. A potential vector includes the
display of icons stored inside of a standard executable. Viewing these
files in an Explorer directory listing could result in the execution of
code in an embedded WMF file. This has yet to be tested.

Office apps LIVE off WMF files. Think in “micro$oft” terms, I would bet that every application has different “playmetafile” functions. They are so married to the old school of coding, that is to say complete applications ready to stand on their own, that I would almost bet my check that at least SOME of the apps in Office have their own WMF players. You know, tools that aren’t that popular among malware writers…like Powerpoint, publisher, frontpage, and other apps where graphics are used extensively.

Perhaps another week of hell? Give’m time…give’m time…

Last modified on January 9, 2006

Categories: InfoSec, The Red Pill

« | Home | »

2 Responses to “This is sorta scary…”

  1. Knox Says:

    It’s frightening to think how much code looks at WMF’s and makes decisions about how to handle embedded software calls. When I disabled the DLL for the first WMF exploit, Outlook would still show me WMF files, so it was using its engine to do so.

  2. pilgrim Says:

    and since the vulnerability is a design feature of the WMF spec, there’s not much you can do about it. I believe M$’s patch was pretty well localized to the GDI32.dll and that other one that escapes me at the moment. If apps, like Outlook, have their own engine for interpreting this format the problem begins to grow.

%d bloggers like this: