| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Dec 2005 15:40:55 -0500 (EST) From: Paul Laudanski <zx@...tlecops.com> To: Bill Busby <williambusby2001@...oo.com> Cc: "Hayes, Bill" <Bill.Hayes@....com>, <davidribyrne@...oo.com>, <bugtraq@...urityfocus.com> Subject: Re: WMF Exploit On Thu, 29 Dec 2005, Bill Busby wrote: > It is not only *.wmf extensions it is all files that > have windows metafile headers that will open with the > Windows Picture and Fax Viewer. Any file that has the > header of a windows metafile can trigger this exploit. Sunbelt Kerio and Bleeding Snort have put together two rules for this: alert ip any any -> any any (msg: "COMPANY-LOCAL WMF Exploit"; content:"01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00"; content:"00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00"; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; sid:2005122802; classtype:attempted-user; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit"; flow:established,from_server; content:"01 00 09 00 00 03"; depth:500; content:"00 00"; distance:10; within:12; content:"26 06 09 00"; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:1;) Simply add it to Sunbelt Kerio's bad-traffic.rlk file, or download it: http://castlecops.com/p687296-.html#687296 -- Paul Laudanski, Microsoft MVP Windows-Security [cal] http://events.castlecops.com [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
Powered by blists - more mailing lists