This application requires Javascript for optimal performance.

W32/WMF!exploit - Released Dec 28, 2005 - Last Updated Jan 05, 2005

Alias/es

Exploit-WMF [McAfee], Exploit.Win32.WMF-PFV [BitDefender], Trojan-Downloader.Win32.Agent.acd [F-Secure], W32/WMF-exploit

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • This exploit executes arbitrary code; current known code executions include some of the following

    - installation of adware/spyware
    - initiation of shell code

Detailed Analysis

A vulnerability exists in the vulnerability in the Graphics Rendering Engine that could shell image viewer DLL (shimgvw.dll) associated with viewing of Windows Metafile data files (commonly with .WMF extension). The vulnerability allows for Windows Metafile Format files to be exploited by redirecting return code to a series of assembly language instructions of an unknown payload, or arbitrary code.

Note that even if the file extension is renamed from .WMF to any of the following, the exploit could still execute -

.bmp
.dib
.rle
.jpg
.jpeg
.jpe
.jfif
.gif
.emf
.wmf
.tif
.tiff
.png
.ico

The vulnerability is unpatched as of the time of this writing, also known as a "zero-day" exploit. Zero refers to the number of days between exploit discovery and release of an exploit to the public through various means. Examples of this exploit exist on some security sites, and some variations of working code exist on several hosted sites.

Viewing either the example code or the working Trojanized WMF files will execute in Microsoft Windows, including all known and existing security updates for Windows XP SP2. Microsoft posted an acknowledgement of the vulnerability, and recommended at least one workaround to unregister SHIMGVW.DLL.

Additional Resources
Advisories were posted on numerous security sites including the following -

Recommended Action



    FortiGate systems:

  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


Reference: ID - 139967