NetDefend IPS
IPS Advisories
NetDefend
Anti-Virus
Anti-Virus Advisories
NetDefend Web Content Filtering
NetDefend IP Reputation
NetDefend Update Center
IPS History
Oct 17, 2024
Oct 09, 2024
Oct 04, 2024
Oct 03, 2024
Sep 25, 2024
Anti-Virus History
Feb 12, 2022
Jan 06, 2022
Oct 23, 2021
Aug 29, 2021
Aug 23, 2021







Home > NetDefend Live > NetDefend IPS Service
NetDefend IPS Service
Print
Advisory ID
7244
Name
WMF Escape
IPS Signature
Maintenance IPS Signature
IPS Group
FROM / EXT / EXPLOIT
Issued
Dec 30, 2005
Description
The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).
Solution
http://hexblog.com/2005/12/wmf_vuln.html
Refferences
http://www.milw0rm.com/id.php?id=1391
http://wvware.sourceforge.net/caolan/ora-wmf.html
http://www.csee.umbc.edu/~squire/download/WinGDI.h
http://windowssdk.msdn.microsoft.com/library/en-us/multimed/htm/_win32_escape.asp
http://msdn.microsoft.com/library/en-us/gdi/prntspol_0883.asp
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1298.html
http://sunbeltblog.blogspot.com/2005/12/more-than-50-wmf-variants-in-wild.html
http://isc.sans.org/diary.php?storyid=975
http://www.securityfocus.com/archive/1/420288/30/0/threaded
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=1544
http://www.securityfocus.com/bid/16074
http://www.frsirt.com/english/advisories/2005/3086
http://secunia.com/advisories/18255
http://www.kb.cert.org/vuls/id/181038
cve
CVE-2005-4560
Enter your details in the box below to receive an email each time we post a new issue of our newsletter.







Dec 01, 2024