<![CDATA[
<body bgcolor="#D9D5D3" text="#000000" link="#0A3078" vlink="#787270" alink="#FBDD4A" marginheight="0" topmargin="0" vspace="0" marginwidth="0" leftmargin="0" hspace="0" onLoad="MM_preloadImages('../images/exploit_home_over.gif','../images/exploit_sessions_over.gif','../images/pentest_setup_over.gif','../images/exploit_reports_over.gif','../images/exploit_config_over.gif','../images/connections_over.gif','../images/exploits.gif','../images/exploit_doc_over.gif','../images/to_vuln_scan_over.gif','../images/pentest.gif')">
<a name="top"></a>
<table width="744" border="0" cellspacing="0" cellpadding="0" align="left" bgcolor="#FFFFFF">
<tr valign="top">
<td valign="top">
<table border="0" cellspacing="0" cellpadding="0" width="744">
<tr valign="top">
<td><a href="#skipnav"><img src="../images/saintexploit_banner_top.jpg" border=0 width="744" height="60" alt="Skip Navigation"></a></td>
</tr>
<tr>
<td>
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="478"><img src="../images/saintexploit_banner_center.jpg" width="478" height="25" border="0"></td>
<td width="138"><a href="/saint.html" target="_top" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('to_vuln_scan','','../images/to_vuln_scan_over.gif','pentest','','../images/pentest.gif',1)" onClick="MM_goToURL('parent','../../saint/saint.html');return document.MM_returnValue"><img src="../images/to_vuln_scan.gif" width="138" height="25" name="to_vuln_scan" border="0" alt="Vulnerability Scanning |"></a></td>
<td width="128"><a href="home.html" target="_top" onClick="MM_goToURL('parent','home.html');return document.MM_returnValue"><img src="../images/pentest_over.gif" width="128" height="25" name="pentest" border="0" alt="Penetration Testing"></a></td>
</tr>
</table>
</td>
</tr>
<tr>
<td>
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="81"><img src="../images/saintexploit_banner_bottom.jpg" width="81" height="31" border="0"></td>
<td width="50"><a href="home.html" target="_top" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('exploit_home','','../images/exploit_home_over.gif','exploits','','../images/exploits.gif',1)" onClick="MM_goToURL('parent','home.html');return document.MM_returnValue"><img src="../images/exploit_home.gif" width="50" height="31" name="exploit_home" border="0" alt="Home |"></a></td>
<td width="74"><a href="saint_data_form.html" target="_top" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('exploit_sessions','','../images/exploit_sessions_over.gif','exploits','','../images/exploits.gif',1)" onClick="MM_goToURL('parent','saint_data_form.html');return document.MM_returnValue"><img src="../images/exploit_sessions.gif" width="74" height="31" name="exploit_sessions" border="0" alt="Sessions |"></a></td>
<td width="101"><a href="saint_run_form.html" target="_top" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('pentest_setup','','../images/pentest_setup_over.gif','exploits','','../images/exploits.gif',1)" onClick="MM_goToURL('parent','saint_run_form.html');return document.MM_returnValue"><img src="../images/pentest_setup.gif" width="101" height="31" name="pentest_setup" border="0" alt="PenTest Setup |"></a></td>
<td width="88"><a href="analysis.html" target="_top" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('exploit_reports','','../images/exploit_reports_over.gif','exploits','','../images/exploits.gif',1)" onClick="MM_goToURL('parent','analysis.html');return document.MM_returnValue"><img src="../images/exploit_reports.gif" width="88" height="31" name="exploit_reports" border="0" alt="Reports |"></a></td>
<td width="84"><a href="saint_cf_form.html" target="_top" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('exploit_config','','../images/exploit_config_over.gif','exploits','','../images/exploits.gif',1)" onClick="MM_goToURL('parent','saint_cf_form.html');return document.MM_returnValue"><img src="../images/exploit_config.gif" width="84" height="31" name="exploit_config" border="0" alt="Configuration |"></a></td>
<td width="93"><a href="connections.html" target="_top" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('connections','','../images/connections_over.gif','exploits','','../images/exploits.gif',1)" onClick="MM_goToURL('parent','connections.html');return document.MM_returnValue"><img src="../images/connections.gif" width="93" height="31" name="connections" border="0" alt="Connections |"></a></td>
<td width="71"><a href="exploits.html" target="_top" onClick="MM_goToURL('parent','exploits.html');return document.MM_returnValue"><img src="../images/exploits_over.gif" width="71" height="31" name="exploits" border="0" alt="Exploits |"></a></td>
<td width="102"><a href="/cgi-bin/demo_doc.pl?doc_name=documentation.html" target="_top" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage('exploit_doc','','../images/exploit_doc_over.gif','exploits','','../images/exploits.gif',1)" onClick="MM_goToURL('parent','documentation.html');return document.MM_returnValue"><img src="../images/exploit_doc.gif" width="102" height="31" name="exploit_doc" border="0" alt="Documentation"></a></td>
</tr>
</table>
</td>
</tr>
</table>
<a name="skipnav"></a>
<!--start of generate_sub_header output-->
<table border="0" cellspacing="0" cellpadding="0" width="744">
<tr>
<td width="81"> </td>
<td bgcolor="#FBDD4A" width="663" height="24" align="center">
<font color="#FFFFFF" face="Arial, Helvetica, sans-serif" size="4"><b>Exploit
– Windows WMF handling vulnerability</b></font>
</td>
</tr>
</table>
<br clear="all">
<!--end of generate_sub_header output-->
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td width="6"> </td>
<td width="159"> </td>
<td width="7"> </td>
<td width="1" rowspan="1013" background="../images/dotted_bar_vert.gif">
<img src="../images/1x1_spacer.gif" width="1" height="1" alt="">
</td>
<td width="14"> </td>
<td width="550"> </td>
<td width="7"> </td>
</tr>
<!--start of start_page_row output-->
<tr>
<td width="6"> </td>
<td valign="top" width="159" align="right">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
</font>
</td>
<td width="7"> </td>
<td width="14"> </td>
<td valign="top" align="left" width="550">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
<!--end of start_page_row output-->
<p>
<font color="green" size="2"><i>12/30/2005</i></font><br>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560" target="cve"><font color="red" size="2">CVE-2005-4560</font></a><br>
<a href="http://www.securityfocus.com/bid/16074" target="cve"><font color="orange" size="2">BID-16074</font></a><br>
<a href="http://www.osvdb.org/21987" target="cve"><font color="purple" size="2">OSVDB-21987</font></a><br>
<p>
<!--start of end_page_row output-->
</font>
</td>
<td width="7"> </td>
</tr>
<!--end of end_page_row output-->
<!--start of start_page_row output-->
<tr>
<td width="6"> </td>
<td valign="top" width="159" align="right">
<a name="background.gif">
<img src="../images/background.gif" alt="Background:" width="159">
</a>
<br>
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
</font>
</td>
<td width="7"> </td>
<td width="14"> </td>
<td valign="top" align="left" width="550">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
<!--end of start_page_row output-->
A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information.
<!--start of end_page_row output-->
</font>
</td>
<td width="7"> </td>
</tr>
<!--end of end_page_row output-->
<!--start of start_page_row output-->
<tr>
<td width="6"> </td>
<td width="159"> </td>
<td width="7"> </td>
<td valign="middle" colspan="3"><img src="../images/dotted_horiz_557.gif" width="557" height="6" alt="----------------------------------------"></td>
</tr>
<tr>
<td width="6"> </td>
<td valign="top" width="159" align="right">
<a name="the_problem.gif">
<img src="../images/the_problem.gif" alt="Problem:" width="159">
</a>
<br>
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
</font>
</td>
<td width="7"> </td>
<td width="14"> </td>
<td valign="top" align="left" width="550">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
<!--end of start_page_row output-->
A flaw in the way specially crafted WMF images are handled
can allow arbitrary command execution when the image is rendered.
<!--start of end_page_row output-->
</font>
</td>
<td width="7"> </td>
</tr>
<!--end of end_page_row output-->
<!--start of start_page_row output-->
<tr>
<td width="6"> </td>
<td width="159"> </td>
<td width="7"> </td>
<td valign="middle" colspan="3"><img src="../images/dotted_horiz_557.gif" width="557" height="6" alt="----------------------------------------"></td>
</tr>
<tr>
<td width="6"> </td>
<td valign="top" width="159" align="right">
<a name="resolution.gif">
<img src="../images/resolution.gif" alt="Resolution:" width="159">
</a>
<br>
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
</font>
</td>
<td width="7"> </td>
<td width="14"> </td>
<td valign="top" align="left" width="550">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
<!--end of start_page_row output-->
Apply one of the workarounds referenced in
<a target="cve" href="http://www.microsoft.com/technet/security/advisory/912840.mspx">Microsoft Advisory 912840</a>.
<!--start of end_page_row output-->
</font>
</td>
<td width="7"> </td>
</tr>
<!--end of end_page_row output-->
<!--start of start_page_row output-->
<tr>
<td width="6"> </td>
<td width="159"> </td>
<td width="7"> </td>
<td valign="middle" colspan="3"><img src="../images/dotted_horiz_557.gif" width="557" height="6" alt="----------------------------------------"></td>
</tr>
<tr>
<td width="6"> </td>
<td valign="top" width="159" align="right">
<a name="more_information.gif">
<img src="../images/more_information.gif" alt="More Information:" width="159">
</a>
<br>
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
</font>
</td>
<td width="7"> </td>
<td width="14"> </td>
<td valign="top" align="left" width="550">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
<!--end of start_page_row output-->
<a href="http://www.microsoft.com/technet/security/advisory/912840.mspx" target="cve">http://www.microsoft.com/technet/security/advisory/912840.mspx</a><br>
<!--start of end_page_row output-->
</font>
</td>
<td width="7"> </td>
</tr>
<!--end of end_page_row output-->
<!--start of start_page_row output-->
<tr>
<td width="6"> </td>
<td width="159"> </td>
<td width="7"> </td>
<td valign="middle" colspan="3"><img src="../images/dotted_horiz_557.gif" width="557" height="6" alt="----------------------------------------"></td>
</tr>
<tr>
<td width="6"> </td>
<td valign="top" width="159" align="right">
<a name="limitations.gif">
<img src="../images/limitations.gif" alt="Limitations:" width="159">
</a>
<br>
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
</font>
</td>
<td width="7"> </td>
<td width="14"> </td>
<td valign="top" align="left" width="550">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
<!--end of start_page_row output-->
Exploit works on Internet Explorer 6.0.
<!--start of end_page_row output-->
</font>
</td>
<td width="7"> </td>
</tr>
<!--end of end_page_row output-->
<!--start of start_page_row output-->
<tr>
<td width="6"> </td>
<td width="159"> </td>
<td width="7"> </td>
<td valign="middle" colspan="3"><img src="../images/dotted_horiz_557.gif" width="557" height="6" alt="----------------------------------------"></td>
</tr>
<tr>
<td width="6"> </td>
<td valign="top" width="159" align="right">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
</font>
</td>
<td width="7"> </td>
<td width="14"> </td>
<td valign="top" align="left" width="550">
<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
<!--end of start_page_row output-->
<a href="exploit_run_form,,,,windows_wmf.html"><img src="../images/run_now_button.gif" alt="Run Now" border="0"></a>
<!--start of end_page_row output-->
</font>
</td>
<td width="7"> </td>
</tr>
<!--end of end_page_row output-->
</table>
<br>
</td>
</tr>
</table>
</body>
]]>