W32/WMF!exploit

Alias/esExploit-WMF [McAfee], Exploit.Win32.WMF-PFV [BitDefender], Trojan-Downloader.Win32.Agent.acd [F-Secure], W32/WMF-exploit
Release DateDec 28, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.202
Description

Visible Symptoms

  • This exploit executes arbitrary code; current known code executions include some of the following

    - installation of adware/spyware
    - initiation of shell code

Detailed Analysis

A vulnerability exists in the vulnerability in the Graphics Rendering Engine that could shell image viewer DLL (shimgvw.dll) associated with viewing of Windows Metafile data files (commonly with .WMF extension). The vulnerability allows for Windows Metafile Format files to be exploited by redirecting return code to a series of assembly language instructions of an unknown payload, or arbitrary code.

Note that even if the file extension is renamed from .WMF to any of the following, the exploit could still execute -

.bmp
.dib
.rle
.jpg
.jpeg
.jpe
.jfif
.gif
.emf
.wmf
.tif
.tiff
.png
.ico

The vulnerability is unpatched as of the time of this writing, also known as a "zero-day" exploit. Zero refers to the number of days between exploit discovery and release of an exploit to the public through various means. Examples of this exploit exist on some security sites, and some variations of working code exist on several hosted sites.

Viewing either the example code or the working Trojanized WMF files will execute in Microsoft Windows, including all known and existing security updates for Windows XP SP2. Microsoft posted an acknowledgement of the vulnerability, and recommended at least one workaround to unregister SHIMGVW.DLL.

Additional Resources
Advisories were posted on numerous security sites including the following -

Description Last Updated Date: Jan 05, 2005
Reference: ID - 139967