Solved: Will CSA defend against WMF exploits?

theotang · ‎01-03-2006

Anyone?

jeff.roback · ‎01-08-2006

We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.

Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.

Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:

http:// sipr.net / test.wmf (Remove spaces in URL)

A really good WMF exploit FAQ is here:

http://isc.sans.org/diary.php?storyid=994

View solution in original post

tsteger1 · ‎01-03-2006

Executing GDI32.DLL from memory will probably trigger the trojan detection rule. I don't know as I haven't had a "live" site to test with and haven't created a test rule. Even if it doesn't block the vector it will probably block the payload depending on what it is. You could proactively block the payload once it is identified but you would need to be quite vigilant.

travis-dennis_2 · ‎01-04-2006

I have just gotten confirmation that the trojan detection rule has successfully stopped this exploit.

tsteger1 · ‎01-04-2006

Cool, thanks Travis

I'm still looking for that live site (or even a test site like they had with GDI+).

theotang · ‎01-04-2006

Here are some confirmed WMF exploit sites. If you have a non-production system to test CSA out, please be my guest. Let us know if CSA blocks these.

CAUTION, THE FOLLOWING SITES HAVE BEEN CONFIRMED BY VERISIGN TO BE HOSTING MALICIOUS WMF FILES AND SHOULD NOT BE VISITED.

From: SOC [SOC@verisign.com]

Sent: Mon 1/2/2006 12:07 PM

Subject: [VeriSign Security Notification] Microsoft Windows WMF Remote Code Execution Vulnerability Picking up Momemtem!

[Abstract]

The following websites have been confirmed as hosting malicious Windows meta files that exploit this vulnerability. Users should not visit these URLs using production systems:

• crackz.ws

• unionseek.com/d/t1/wmf_exp.htm

• beehappyy.biz/parthner3/xpl.wmf

• www.tfcco.com/xpl.wmf

• Iframeurl.biz

• buytoolbar.biz/xpl.wmf

jeff.roback · ‎01-08-2006

We confirmed in our lab this week that CSA 4.5 does block attempts to exploit the WMF vulnerability, recognizing it as an attempt to invoke a function from a buffer. I've attached a screen shot of the CSA query.

Only caution is this: the default response is to terminate the application running the exploit. However the 'out of the box' rules allow the user to permit the activity, which then allows the exploit to run. We're re-tuning our rules to prevent a yes reponse to this query.

Our testing was done with a live exploit. If you'd like to test this in-house, best bet is to go to a site with a known safe exploit wmf. (Besides the live ones keep getting taken down anyway!). This site is a good start:

http:// sipr.net / test.wmf (Remove spaces in URL)

A really good WMF exploit FAQ is here:

http://isc.sans.org/diary.php?storyid=994

aduerr · ‎01-16-2006

Nice site - tested it with 4.5.1(639). Only want to mention that it blocks test.wmf as long as you use IE to directly access it.

Try downloading and accessing it from local disk with explorer and you'll get hit, as System API Control rule inside General Application Permissions(all Security Levels) will only work for Network Applications that access functions from a buffer.

After expanding application class from network applications to all applications you are safe again.

Regards,

Arne