RE: Detecting new Windows .jpeg exploit

["Roger A. Grimes" <roger () banneretcs com>]

The problem is slightly more complex than that.   MBSA certainly won't
tell the whole truth.  It will tell whether you have the patch applied,
but not whether the vulnerability is closed...because many people are
reporting multiple vulnerable copies of the GDI executable.  The patch
only updates the Windows system version, not every version existing on a
computer.  If an application is installed that looks for and uses an
older version, then you can still be vulnerable.  

The scanning or scripting tool would have to do a scan of all files, and
find any vulnerable copies of the executable.  It can be done, not too
hard, and that is what he was looking for.

-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com] 
Sent: Thursday, September 16, 2004 12:23 PM
To: security-basics () securityfocus com
Subject: Re: Detecting new Windows .jpeg exploit

In-Reply-To:
<B926F412791ED611BD6400306E1C164702DB7061 () wpg112ex2 gov mb ca>

> What I'd like to know is how we can scan a fairly large network for 
> vulnerable machines.

[snip]

> Is there any way known at this time to detect if a computer is 
> vulnerable?

To be honest, I'm not sure what it is you're looking for...while your
subject line states that you want to detect the exploit, your post asks
about detecting the vulnerability.

Which is it?

If you want to detect the vulnerability, it's relatively trivial.  MBSA
comes to mind, as does WMI.  For WMI, use the Win32_QuickFixEngineering
class to enumerate all of the installed patches, and if the patch in
question does not appear in the list, then you can assume that it wasn't
installed.

Another option would be to obtain file version information from
gdiplus.dll on an unpatched machine, and then compare that to that from
a patched machine.  Then write a Perl script to connect to each system
as a domain admin and pull the file version information from that file.
Any system on which the file versioning information does not equal what
you found on the patched system should be considered vulnerable.

I hope that helps...

Harlan


------------------------------------------------------------------------
---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of a certified computer examiner, learn to recover trace data
left behind by fraud, theft, and cybercrime perpetrators. Discover the
source of computer crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------