redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| Windows MetaFiles still vulnerable
»redxii.blogspot.com/2005/12/vuln···ing.html
Basically Microsoft had released a patch in November fixing an execution flaw in Windows MetaFiles. Doing my dark side of the world wide web runs on a fully patched XP SP2 virtual machine, it became apparent that MetaFiles are still executing code even with the patch.
KAV didn't catch it. It caught the programs running after the fact, but still missed some stuff. |
|
dp
Go Steelers
Premium,MVM
join:2000-12-08
Greensburg, PA
 ·Verizon Online DSL
| Additional info:
»isc.sans.org/diary.php?storyid=972
»www.securityfocus.com/bid/16074/info
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | Kinda funny. I found it out on my own then while I was typing it up other people are in the know at the same time. I did not go to unionseek or heard of it until other people were posting WMF file code execution
Except i'm wondering what the hell happened. They released a patch fixing metafile code execution, and two months later we have metafile code execution even with the said patch. Except this time it is actually in the wild.
"The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine."
Atleast in my testing, this does not appear to be the case. I think they are confusing the fact that most people run as admin, and once the code is executed it creates services that are run as SYSTEM. It for sure died in a restricted account. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
·AT&T Southwest
1 edit | reply to redxii
Re: And this from F-Secure.....
»www.f-secure.com/weblog/#00000753
Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.
Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
(some of these blocks already exist in my MVPS Hosts file)
And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow...
Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.
You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?
The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.
So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows. |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY
| reply to redxii
Re: Windows MetaFiles still vulnerable
Ok, I missed this as the title and WMF searches missed vs what was used at the blog where I heard of it. I'll post what I asked in the new thread:
Question, I use Directory Opus to replace Explorer for the file manager... And DO uses it's own image viewer. Am I affected?
Also, it sounds like just setting some other image viewer as default for wmf images would protect you - but would another viewer automatically be safe as they would not have SYSTEM user prividledges, or do they all use the Windows dll that's vulnerable?
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 3;Proxomitron 4.5j Grypen 12/2/05(Opera mod),GPG ID:0x0A1C6EE3 |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
1 edit | I just sent Red a PM asking him to check that very thing using InfranView.
This is what was said by F-Secure here:
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first. |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY
| So, if I go to such a page, I'll get a prompt about viewing the picture, and if I say no, no problem... So there's no vulnerability just in seeing images on a web page, it has to launch Windows Picture and Fax viewer?
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 3;Proxomitron 4.5j Grypen 12/2/05(Opera mod),GPG ID:0x0A1C6EE3 |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| From SANS today:
The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on »www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.
Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.
While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.
********************************
I know of some guys who downloaded the file "wmf_exp.wmf" to further investigate it. |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to redxii
and a bit more:
»www.theinquirer.net/?article=28590 : "...you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft.
* UPDATE Ken Dunham, director at iDefense, said the zero day WMF exploitation threat affecting fully patched versions of XP and Windows 2003 Web Server is underway."
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
visormiser
Premium
join:2004-02-10
Alexandria, VA
| Washingtonpost.com's Security Fix blog includes a hack from iDefense that it says should help mitigate this threat by disabling the rendering of WMF files:
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears. |
|
redwolfe_98
join:2001-06-11 | reply to redxii
i don't know if it will help, but i added the "WMF" file extention to "scriptdefender's" list of protected "scripts".. |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | reply to jbob
I installed Irfanview. It executed in the Thumbnail viewer of Irfanview, and when trying to open it it executed before I could select it in the Open dialog (and thumbnails weren't enabled).
Again, it's clear to me it's not going to execute with SYSTEM otherwise the limited account would also have been owned.
explorer.exe 964 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, GDI32.dll,
USER32.dll, SHLWAPI.dll, SHELL32.dll,
ole32.dll, OLEAUT32.dll, BROWSEUI.dll,
SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,
CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll,
NETAPI32.dll, WININET.dll, WLDAP32.dll,
VERSION.dll, UxTheme.dll, ShimEng.dll,
AcGenral.DLL, WINMM.dll, MSACM32.dll,
USERENV.dll, comctl32.dll, comctl32.dll,
appHelp.dll, CLBCATQ.DLL, COMRes.dll,
cscui.dll, CSCDLL.dll, themeui.dll,
Secur32.dll, MSIMG32.dll, xpsp2res.dll,
actxprxy.dll, LINKINFO.dll, ntshrui.dll,
ATL.DLL, WINSTA.dll, webcheck.dll,
WSOCK32.dll, WS2_32.dll, WS2HELP.dll,
stobject.dll, BatMeter.dll, POWRPROF.dll,
SETUPAPI.dll, WTSAPI32.dll, wdmaud.drv,
msacm32.drv, midimap.dll, NETSHELL.dll,
rtutils.dll, credui.dll, iphlpapi.dll,
urlmon.dll, rsaenh.dll, browselc.dll,
MPR.dll, MRxVPCNP.dll, vmsrvc.dll,
drprov.dll, davclnt.dll, DUSER.dll,
MSGINA.dll, ODBC32.dll, comdlg32.dll,
odbcint.dll, MLANG.dll, SAMLIB.dll,
shimgvw.dll, gdiplus.dll, rarext.dll,
shellex.dll, shdoclc.dll, NTMARTA.DLL
Still in SP2 fully updated and SP1 without any further patches it dies in a limited account. |
|
prana
join:2005-03-22
Australia
4 edits | The exe file it downloads... cj.exe
Take this with a grain of salt, this is from a 5 minute disassembly and not detailed. Will do that later when I have more time. Or leave it for the Anti-virus companies 
WMF exploit has not got a standard Magic Byte
01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 �. ..�R�..�.=...
non standard magic byte of D7 CD C6 9A
The trojan file has two entry points, one for the DLL and one for the PE section. The PE entry point has the following characteristics.
Grabs local time.
Checks for Windows Internet Connectivity
Copies itself into multiple DLLs in System32, dvob.dll, oewrgm.dll, sh.dll, wqxk.dll.
Registers CLSID to run as a BHO
Opens FTP connection to download a file 66.36.231.141 with
username user21 ,
FTP username password user21:ma5gjdH5
Adds the registry name for the below classes
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object
The following keys are added in the CLSID classes.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03c02f31-a63c-440a-ae37-ac9282f01af7}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67269857-3057-42f4-9233-f9c2abb59953}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cde6d49d-a863-4d07-aec3-7d83b5ab7ce5}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bda45f3-735e-4df8-90e9-2c68ed2567b6}\InProcServer32
Appends subkeys to CLSID "Apartment" with a valuename of ThreadingModel to the DLLs Grabs filename of the exe file.
Creates mutex name "3094flcxvdf"
The FTP site!
C:\>ftp 66.36.231.141
Connected to 66.36.231.141.
220 sst
User (66.36.231.141:(none)): user21
331 Password required for user21.
Password:
230 User user logged in.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
226 Transfer ok
ftp> pwd
257 "/" is current directory.
ftp> ls -la
200 Port command successful.
150 Opening data connection for directory list.
226 Transfer ok
ftp>
The following files are created in your system32 dir
dvob.dll
oewrgm.dll
wqxk.dll
sh.dllin the particular sample I tested... which are copies of the trojan downloaded with a different filename for the alternative entry point for the binary
edited: some updated info |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| According to Sunbelt Blog: »sunbeltblog.blogspot.com/2005/12···ild.html
it's up to over 50 variants and counting now. More sites are popping up too. Earlier I had seen some guys who downloaded a different file. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| reply to redxii
Thanks, you're the heat! But you kinda lost me a bit.
I am not sure whether the trojan executed while using InfranView or not? You seem to say it did but it was unclear. I'm assuming that the exploitable dll file "shimgvw.dll" was not called by InfranView so the exploit didn't happen and only happens in the instance of using explorer and Picture and Fax viewer?
As you mentioned another good reason to only run as Admin when necessary! Now if I would learn! lol |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | reply to jbob
said by jbob  :it's up to over 50 variants and counting now. More sites are popping up too. The number of websites seem bloated. There are many websites, but many more call out to a "master" website. You may get it from site 1, 2, 3, 4, and 5 but all those others get the exploit code from say site 4.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool. |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: 
| reply to redxii
good work guys. can i assume at this early stage there isnt a patch/fix for this? this might be one that I may have to fix on someone's computer soon
--
babbling | How's the weather? |
|
Shadye
Premium
join:2004-10-21
Fallbrook, CA
1 edit | Yeah, turn on DEP.
Spoke too soon. There's a workaround out.
REGSVR32 /U SHIMGVW.DLL
That will stop WMF from being automatically displayed in IE, but you can still open the file and get infected. |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
2 edits | reply to pcdebb
said by pcdebb :can i assume at this early stage there isnt a patch/fix for this? well, the unregistration hack described above (using "regsvr32 /u shimgvw.dll" ) seems to work for now...
LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok.
is only ms picture viewer vulnerable? we have wmf associated with psp... |
|
norwegian
Premium
join:2005-02-15
Outback | reply to redxii
thanks for the heads up, unregistered SHIMGVW.DLL for now |
|
