[funsec] MS Update coming today

H D Moore funsecspam at digitaloffense.net
Thu Jan 5 18:43:12 CST 2006

Signaturing a Metasploit WMF exploit on-disk isn't hard, its the delivery 
that makes detection. All of the current IDS/AV signatures are based on 
the following pattern (values are in hex):

[ any number of bytes ] 
(01 or 02) + 00 + 09 + 00 
[ any number of bytes ]
26 + 09 + 00

Exploitation FAQ:

Q) The Windows Meta File format has a number of optional headers, can any 
of these be used to trigger the arbitrary code execution flaw via 

A) No. The CLP headers (16 bit and 32 bit) cause the Picture and Fax 
Viewer (PFV) and Internet Explorer to throw an error when trying to 
render the image. Internet Explorer will only display an image internally 
if the "placeable" header has been prepend to the bare WMF header. If the 
"placeable" header exists, a device context check will fail during the 
call to Escape() and the SetAbortProc() function is not reached. This 
effectively prevents IE or the PFV from executing the SetAbortProc() call 
when any optional header has been prepended. This may not hold true for 
Explorer's preview and icon view.

Q) What about the Enhanced Meta File format? Does this format allow access 
to the exploitable function?

A) No. The EMF format has a separate API (which may or may not have its 
own problems), but it does not allow access to the WMF Escape() function. 
A WMF file can be delivered with the EMF extension however, which will 
cause it to be processed with the vulnerable API.

Q) Are there any other ways to obtain code execution besides via WMF files 
viewed by PFV or Explorer?

A) Yes. Any application that accepts WMF files and calls PlayMetaFile with 
the supplied data can be exploited. Some of these only recognize WMF 
files with the placeable header, which may prevent the application from 
reaching the SetAbortProc function. There are *many* other places where 
standard (ie. included with the OS) applications call the PlayMetaFile 
function, its just a matter of figuring out which ones can be used to 
deliver the malicious WMF content. A potential vector includes the 
display of icons stored inside of a standard executable. Viewing these 
files in an Explorer directory listing could result in the execution of 
code in an embedded WMF file. This has yet to be tested.

Q) What WMF header fields are mandatory for code execution through the 

A) Not many. The Windows Meta File header and possible field values are 
listed below:

# Possible values: 1 or 2 (memory or disk) 
WORD FileType

# The HeaderSize must always be 9 
WORD HeaderSize;

# The Version field can be 0x0300 or 0x0100 
WORD Version

# This parameter can be anywhere from 0x20 to 0xffffffff 
DWORD FileSize

# Completely arbitrary 
WORD NumOfObjects

# Completely arbitrary 
DWORD MaxRecordSize

# Completely arbitrary 
WORD NumOfParams

The MSB of the actual MetaFileRecord function field is completely ignored.

Credits: A number of anonymous sources contributed to this information.

More information on the WMF structure can be found at the following sites:
- http://wvware.sourceforge.net/caolan/ora-wmf.html
- http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt

On Thursday 05 January 2006 18:26, Gary Funck wrote:
> > "Microsoft's monitoring of attack data continues to indicate that the
> > attacks are limited and are being mitigated both by Microsoft's
> > efforts to shut down malicious Web sites and with up-to-date
> > signatures form anti-virus
> > companies.
> A nit: I thought I saw a characterization of the WMF exploit
> 'opportunity' that indicated it might be difficult/impossible to find
> virus payloads using a signature that employ this exploit.   Did I get
> that wrong? Also, are there viruses/worms out there 'in the wild' at
> the moment that invoke the Metasploit?  How prevalent are they?
> thanks.
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

More information about the funsec mailing list