Jump to content

Test your computer/browser protection to the WMF exploit

Synapse

By Synapse
in Networks and the Internet

 Share

Recommended Posts

Synapse

Synapse

Posted
Posted (edited)

found this quite fun... its in german... but just scroll down to where it says "Test"

http://www.heise.de/security/dienste/brows...os/ie/wmf.shtml

My results:

Firefox: Asked me to download it or open it.. i chose to download it and double clicked the icon to open windows fax and picture viewer.. calc.exe ran and explorer.exe crashed.. even right clicking and hitting properties on the file caused it to run.

IE: Started download, ran windows fax viewer thing but no calculator execution... which i found weird.. maybe its reading from the cache, i'll have to test after i do a restart and clear my browser cache.

Explorer: with Thumbnails turned on, it ran calc.exe and caused the explorer.exe to crash again.

Post your results..

btw.. incase anyone is interested on how this looks when the actual infected .wmf is ran.. check out this movie

http://www.websensesecuritylabs.com/images...s/wmf-movie.wmv

Edited by Bi0haZarD
Link to comment
Share on other sites

LLXX

LLXX

Posted
Posted (edited)

IE: Asked me to download or open it. Chose Open: "Open file with..." dialog comes up. I choose to open it with IE. The "save" dialog comes up and closes immediately.

Chose Save: Downloaded the WMF. Double-clicked it and "open file with..." comes up again.

Right-click and view Properties: Standard property page comes up, nothing else happens.

Turned on Thumbnails: Nothing happened.

Tried various Image-editing programs I had. All of them refused to open the file, claiming the file was invalid.

I guess I'm immune... :thumbup

OS: 98se customised.

Edited by LLXX
Link to comment
Share on other sites
Synapse

Synapse

Posted
  • Author
Posted

it's a TEST wmf file.. all it does is runs calc.exe if your system is vulnerable..

and yes i have checked this link myself, both on a VMware workstation and my main computer.. with regmon, filemon, and process explorer all running.. to make sure its 100% safe.. I would never put up a link here that could even have the possibility of damaging a fellow MSFN users comp in anyway.

as for the site being in german, its a german magazine.. basically an equivelent of slashdot.. they made it so people could check to make sure they were protected from the exploit without having to run the actual destructive wmf.

kthanks.

Link to comment
Share on other sites
Solid as a rock

Solid as a rock

Posted
Posted

My results:

Opera and IE: Asked me to download it or open it.. i choose to download it and double clicked the icon to open windows fax and picture viewer. Viewer opens with the message: No example aviable (translated from dutch to english). And yes, i have the WMFpatch installed from microsoft...

But nice movie, now i know how it looks. Thanks! :)

Link to comment
Share on other sites
atomizer

atomizer

Posted
Posted

FF prompts to download.

saved file and scanned and, naturally, ClamWin detected:

\browsercheck.tif: Exploit.WMF.Gen-3 FOUND

opened file and got error "format of the file could not be determined". however, i don't have windows p&f viewer installed. 'tif' is associated with XnView, but it obviously wasn't a valid 'tif' file.

calc.exe didn't run.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...