NetDefend IPS
IPS Advisories
NetDefend
Anti-Virus
Anti-Virus Advisories
NetDefend Web Content Filtering
NetDefend IP Reputation
NetDefend Update Center
IPS History
Jan 06, 2020
Oct 24, 2019
Jul 01, 2019
Feb 18, 2019
Feb 15, 2019
Anti-Virus History
Jan 01, 2020
Dec 01, 2019
Nov 23, 2019
Nov 09, 2019
Oct 22, 2019







Home > NetDefend Live > NetDefend IPS Service
NetDefend IPS Service
Print
Advisory ID
7244
Name
WMF Escape
IPS Signature
Maintenance IPS Signature
IPS Group
FROM / EXT / EXPLOIT
Issued
Dec 30, 2005
Description
The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).
Solution
http://hexblog.com/2005/12/wmf_vuln.html
Refferences
http://www.milw0rm.com/id.php?id=1391
http://wvware.sourceforge.net/caolan/ora-wmf.html
http://www.csee.umbc.edu/~squire/download/WinGDI.h
http://windowssdk.msdn.microsoft.com/library/en-us/multimed/htm/_win32_escape.asp
http://msdn.microsoft.com/library/en-us/gdi/prntspol_0883.asp
http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1298.html
http://sunbeltblog.blogspot.com/2005/12/more-than-50-wmf-variants-in-wild.html
http://isc.sans.org/diary.php?storyid=975
http://www.securityfocus.com/archive/1/420288/30/0/threaded
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=1544
http://www.securityfocus.com/bid/16074
http://www.frsirt.com/english/advisories/2005/3086
http://secunia.com/advisories/18255
http://www.kb.cert.org/vuls/id/181038
cve
CVE-2005-4560
Enter your details in the box below to receive an email each time we post a new issue of our newsletter.







Jan 26, 2020