| Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution |
|
| Secunia Advisory: | SA18255 |  | | Release Date: | 2005-12-28 | | Last Update: | 2005-12-29 |
| | Critical: | 
Extremely critical | | Impact: | System access
| | Where: | From remote
| | Solution Status: | Unpatched |
| | OS: | Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
| | Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. |
| | CVE reference: | CVE-2005-4560
|
| Description:
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).
The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif, ".tif", and ".png" etc.
The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.
Solution:
Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer.
Set security level to "High" in Microsoft Internet Explorer to prevent automatic exploitation.
The risks can be mitigated by unregistering "Shimgvw.dll". However, this will disable certain functionalities. Secunia do not recommend the use of this workaround on production systems until it has been thoroughly tested.
Provided and/or discovered by:
First reported in the wild by "noemailpls".
Exploit code and additional information provided by H D Moore.
Changelog:
2005-12-29: Updated advisory.
Original Advisory:
Microsoft (KB912840):
http://www.microsoft.com/technet/security/advisory/912840.mspx
Other References:
US-CERT VU#181038:
http://www.kb.cert.org/vuls/id/181038
|
| Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. |
|
|
|
| Send Feedback to Secunia: |
| If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback is most welcome. |
|
|
|
| Found: 139 Related Secunia Security Advisories, displaying 10 |
|
| - Microsoft IIS Malformed URL Potential Denial of Service Vulnerability |
| - Microsoft Windows UPnP GetDeviceList Denial of Service |
| - Microsoft Windows WMF/EMF File Rendering Arbitrary Code Execution |
| - Microsoft Windows Shell and Web View Three Vulnerabilities |
| - Microsoft Collaboration Data Objects Buffer Overflow Vulnerability |
| - Microsoft Windows Plug-and-Play Service Arbitrary Code Execution |
| - Microsoft Windows Client Service for NetWare Buffer Overflow |
| - Microsoft Windows FTP Client Filename Validation Vulnerability |
| - Microsoft Windows MSDTC and COM+ Vulnerabilities |
| - Microsoft Windows DirectShow AVI Handling Vulnerability |
Show all related advisories |
|
|
|
