Microsoft Windows Enhanced Metafile (EMF) buffer overflow (Image_EMF_Long_Description)
About this signature or vulnerability
Proventia G-Series, Proventia Network IPS, Proventia Desktop, Proventia M-Series, BlackICE Server Protection, Proventia Server for Windows, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Network Sensor, RealSecure Server Sensor:
Trigger if the description field in an Enhanced Metafile (emf) exceeds pam.content.emf.description.threshold which defaults to 128 bytes
Default risk level
High
Sensors that have this signature
Proventia G-Series: XPU 24.38, Proventia Network IPS: XPU 1.77, Proventia Desktop: 8.0.812.1770, Proventia M-Series: XPU 1.77, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770, BlackICE PC Protection: 3.6cpi, BlackICE Agent for Server: 3.6epi, RealSecure Network Sensor: XPU 24.38, RealSecure Server Sensor: XPU 24.38
Systems affected
Windows NT: 4.0 Server SP6a, Windows XP: 64-bit Edition SP1, Windows 2000: SP4, Windows Server 2003: Any version, Windows 2000: SP3, Windows XP: SP1, Windows NT: 4.0 Server TSE SP6, Windows XP: 64-bit Edition 2003, Windows Server 2003: 64-Bit Edition, Windows: 98 Second Edition, Windows: XP, Windows: Me, Windows: 98
Type
Unauthorized Access Attempt
Vulnerability description
Multiple versions of Microsoft Windows are vulnerable to a buffer overflow, caused by improper bounds checking when handling Enhanced Metafile (EMF) image formats. By creating a specially-crafted EMF image file containing malicious script, a remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the victim, once the file is opened. An attacker could exploit this vulnerability by hosting the malicious file on a Web site or by sending it to a victim as an HTML email.
Note: This vulnerability is different than the vulnerability addressed in Microsoft Bulletin MS04-011.
How to remove this vulnerability
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-032. See References.
For Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.
Microsoft originally provided a patch for this vulnerability in MS04-032, but it was superceded by the patch released with MS05-018.
References
Microsoft Security Bulletin MS04-032
Security Update for Microsoft Windows (840987)
http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx
CIAC Information Bulletin P-008
Microsoft Security Update for Microsoft Windows (840987)
http://www.ciac.org/ciac/bulletins/p-008.shtml
Packet Storm Web site
HOD-ms04032-emf-expl2.c
http://packetstormsecurity.nl/0410-exploits/HOD-ms04032-emf-expl2.c
Microsoft Security Bulletin MS05-018
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)
http://www.microsoft.com/technet/security/bulletin/MS05-018.mspx
ISS X-Force
Microsoft Windows Enhanced Metafile (EMF) buffer overflow
http://www.iss.net/security_center/static/16581.php
CVE
CVE-2004-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0209
■検知
| Date/Time | 2006-06-19 06:15:54 JST |
| Tag Name | Image_EMF_Long_Description |
| Alert Name | Image_EMF_Long_Description |
| Severity | High |
| Observance Type | Intrusion Detection |
| Combined Event Count | 1 |
| Cleared Flag | false |
| Target IP Address | 192.168.221.106 |
| Target Object Name | 34638 |
| Target Object Type | Target Port |
| Target Service | unknown |
| Source IP Address | 192.168.221.110 |
| SourcePort Name | 80 |
| Sensor IP Address | 10.4.6.106 |
| Sensor Name | Proventia_M-Series |
| :accessed | yes |
| :code | 200 |
| :Description Length | 65535 |
| :protocol | http |
| :Protocol Name | TCP |
| :server | 192.168.221.110 |
| :type | attack |
| :URL | /ms04032.wmf |
| :user-defined | false |
| algorithm-id | 2104039 |
| Blocked | false |
| IANAProtocolId | 6 |
| Namespace | pam |
| POST | Default |