つぶやき

このブログは,ご覧頂いたあなたのコンピュータが犯罪に利用されていないか?確認していただく為のひとつの手段としてご利用頂ければ幸いです。電子メール:amaterasu@job.email.ne.jp


テーマ:

Microsoft Windows Enhanced Metafile (EMF) buffer overflow (Image_EMF_Long_Description)

About this signature or vulnerability

Proventia G-Series, Proventia Network IPS, Proventia Desktop, Proventia M-Series, BlackICE Server Protection, Proventia Server for Windows, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Network Sensor, RealSecure Server Sensor:

Trigger if the description field in an Enhanced Metafile (emf) exceeds pam.content.emf.description.threshold which defaults to 128 bytes



Default risk level

High

Sensors that have this signature

Proventia G-Series: XPU 24.38, Proventia Network IPS: XPU 1.77, Proventia Desktop: 8.0.812.1770, Proventia M-Series: XPU 1.77, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770, BlackICE PC Protection: 3.6cpi, BlackICE Agent for Server: 3.6epi, RealSecure Network Sensor: XPU 24.38, RealSecure Server Sensor: XPU 24.38

Systems affected

Windows NT: 4.0 Server SP6a, Windows XP: 64-bit Edition SP1, Windows 2000: SP4, Windows Server 2003: Any version, Windows 2000: SP3, Windows XP: SP1, Windows NT: 4.0 Server TSE SP6, Windows XP: 64-bit Edition 2003, Windows Server 2003: 64-Bit Edition, Windows: 98 Second Edition, Windows: XP, Windows: Me, Windows: 98

Type

Unauthorized Access Attempt

Vulnerability description

Multiple versions of Microsoft Windows are vulnerable to a buffer overflow, caused by improper bounds checking when handling Enhanced Metafile (EMF) image formats. By creating a specially-crafted EMF image file containing malicious script, a remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the victim, once the file is opened. An attacker could exploit this vulnerability by hosting the malicious file on a Web site or by sending it to a victim as an HTML email.

Note: This vulnerability is different than the vulnerability addressed in Microsoft Bulletin MS04-011.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-032. See References.

For Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Microsoft originally provided a patch for this vulnerability in MS04-032, but it was superceded by the patch released with MS05-018.


References

Microsoft Security Bulletin MS04-032
Security Update for Microsoft Windows (840987)
http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx

CIAC Information Bulletin P-008
Microsoft Security Update for Microsoft Windows (840987)
http://www.ciac.org/ciac/bulletins/p-008.shtml

Packet Storm Web site
HOD-ms04032-emf-expl2.c
http://packetstormsecurity.nl/0410-exploits/HOD-ms04032-emf-expl2.c

Microsoft Security Bulletin MS05-018
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)
http://www.microsoft.com/technet/security/bulletin/MS05-018.mspx

ISS X-Force
Microsoft Windows Enhanced Metafile (EMF) buffer overflow
http://www.iss.net/security_center/static/16581.php

CVE
CVE-2004-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0209



■検知

Date/Time 2006-06-19 06:15:54 JST
Tag Name Image_EMF_Long_Description
Alert Name Image_EMF_Long_Description
Severity High
Observance Type Intrusion Detection
Combined Event Count 1
Cleared Flag false
Target IP Address 192.168.221.106
Target Object Name 34638
Target Object Type Target Port
Target Service unknown
Source IP Address 192.168.221.110
SourcePort Name 80
Sensor IP Address 10.4.6.106
Sensor Name Proventia_M-Series
:accessed yes
:code 200
:Description Length 65535
:protocol http
:Protocol Name TCP
:server 192.168.221.110
:type attack
:URL /ms04032.wmf
:user-defined false
algorithm-id 2104039
Blocked false
IANAProtocolId 6
Namespace pam
POST Default

AD
いいね!した人  |  リブログ(0)

AD

ブログをはじめる

たくさんの芸能人・有名人が
書いているAmebaブログを
無料で簡単にはじめることができます。

公式トップブロガーへ応募

多くの方にご紹介したいブログを
執筆する方を「公式トップブロガー」
として認定しております。

芸能人・有名人ブログを開設

Amebaブログでは、芸能人・有名人ブログを
ご希望される著名人の方/事務所様を
随時募集しております。