• info
• discussion
• exploit
• solution
• references

Microsoft Windows Graphics Rendering Engine WMF SetAbortProc Code Execution Vulnerability

A remote code-execution exploit that triggers this issue is currently circulating in the wild.

An exploit (ie_xp_pfv_metafile.pm revision 1.6) has been released for the Metasploit Framework.

A new exploit (ie_xp_pfv_metafile-19.pm revision 1.9) has been released for the Metasploit Framework. Reports indicate that this exploit can bypass current antivirus and snort signatures.

UPDATE: There are a reports of a worm that is exploiting this vulnerability over MSN. The worm is allegedly enticing users to download a file entitled "xmas-2006 FUNNY.jpg" through links distributed in instant messages. Symantec is currently investigating this. This BID will be updated as more information emerges.

Exploit code wmf_exp.c has been supplied by Unl0ck Research Team. Symantec has not verified the integrity of this exploit.

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

• /data/vulnerabilities/exploits/ie_xp_pfv_metafile-19.pm
• /data/vulnerabilities/exploits/ie_xp_pfv_metafile.pm
• /data/vulnerabilities/exploits/wmf_exp.c