Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to caffeinator
Re: Windows MetaFiles still vulnerable
Why? If Print Screen needs to modify the registry because of this MS patch why would I want BD alerting everytime I try to open Print Screen properties? I somewhat frequently have to open that to change the source of the captured area for a particular capture. I can't have BD alerting every time I need to do that. There is a checkbox in properties to have Print Screen open with Windows. Either BD had not alerted earlier because I had NOT opened properties box since getting the full BD (which is likely the case as I don't recall needing to change the capture area from rectangle recently) or the patch has confused Print Screen. More likely the former. Either way, I don't see how my allowing this in BD permanently was a bad thing to do. If ProcessGuard had popped up about a registry change for Print Screen, I would have allowed that seeing that opening properties in Print Screen causes this.
I'm not sure what you mean by all my "problems". I didn't get infected with the exploit on this system that was unpatched and I ran BD free for well over a year as my ONLY AV on this box and the free version is on demand scanner only and I never got a virus. I never get spyware and I run no real time anti-spyware monitor...so I don't know what you are referring to. ZOverlord's tests never tried to start notepad when I entered the folder, etc. so I am not convinced that the errors when I tried to delete his files were my "errors". Anyhow, all moot as Dell is finally expediting the new computer.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
dantz
join:2005-05-09
Honolulu, HI
 ·Hawaiian Telcom
1 edit | I just downloaded and installed the official Microsoft patch, rebooted, turned my antivirus completely off, and tried out all of ZOverlord's test files, both online and offline. It appears that the patch is working fine, as Notepad never tried to open. |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
4 edits | reply to redxii
There is a NEW version of the Exploit they went from 1.16 to 1.17. If you have the Microsoft Update patch, you are safe from this.
If people for some reason still wish to test after they install the official patch, or are on Windows98 my last post did not include the 1.17 test file link so here it is:
»testing.OnlyTheRightAnswers.com/···loit.zip
The official patch works just fine, but for those that would like to test anyway that's where the latest version test files of this exploit are located.
The On-Line links of the test files in my post also are version 1.17 now and are located here:
»Windows MetaFiles still vulnerable
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | reply to redxii
Just a Heads Up for the STILL unprotected from this exploit, a NEW release was just released it is NOW 1.17 not 1.16 as before.
I have tested it with the Microsoft Patch in place, and there is NO need to worry IF you have the latest update from Microsoft.
Those still unprotected may be at additional risk with this latest release.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
| reply to redxii
Is there a consensus on the best non-M$ patch?
Since I have a 98SE box, they don't have a patch for it that I know of. Sooooo....
I tried the eset one...called a GDI patch..shoulda known..it ate a whole 1% off my starting resources. UGH. Slowed the box like mad.
ATM, I'm just relying on common sense and Avast!, but I'd like to know what patch might be the better solution for me without trying them all..bleh.
Good work ZO btw..:)
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
mysec
Premium
join:2005-11-29 | My understanding is that if you don't have a 3rd party image viewer, the exploit won't run on Win9x/2000.
|
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN | reply to caffeinator
Thanks |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN | reply to mysec
From my understanding that's correct. |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
1 edit | reply to redxii
Well, I have ACDSee set as default for most types. I use PicaView for previewing in a file list..but FAIK my AV catches it first anyways.
Besides all that, I don't have any of the vulnerable components on here at all.
So, I guess I'll just forget about it unless I find a 98SE compatible patch that dosen't suck 
Apparently GRC is gonna put out a 98/ME patch if nobody else does though.
Otherwise I'm patched-up far as M$ will let me..heh.
Thanks!
~FIN~
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
2 edits | reply to redxii
For those that have no patch available (Windows98) and want to check using the latest 1.17 version of this, I rebuilt the test files, the zip now contains the 1.17 version of this exploit which is NEW, also the on-line links have been updated and are using the NEW 1.17 version as well, links to all of those are here:
»Windows MetaFiles still vulnerable
For Historical testing, zip files for version 1.14 and 1.16 for doing tests locally on your hard drive can be found here:
»testing.OnlyTheRightAnswers.com/···t114.zip
»testing.OnlyTheRightAnswers.com/···t116.zip
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
mysec
Premium
join:2005-11-29
| reply to caffeinator
The following was tested on Win2K without any wmf patch.
There is no wmf file association, and the file displays a generic icon and prompts the Open With box if attempted to open:
____________________________________________
If I associate wmf with Photoshop it takes the Photoshop icon:
___________________________________________
But Photoshop won't open it:
____________________________________
However, if I associate wmf with the current version of Irfanview and open the test file that starts calc.exe, it executes:
____________________________________________
If I go to a web site that has that file, unlike in XP where it auto-runs, a download is prompted. This was done with IE in Low Security setting to see if it would auto-run via iframe. (I coded the iframe to display):
iframe src="test.wmf"> iframe>
_____________________________________
Conclusion: on Win2K unpatched, an image viewer that recognizes .wmf could execute an infected wmf file if it were downloaded/installed. My assumption is that the same could occur on Win9x.
The above file is still on my site if anyone wants to test.
|
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN | Could you please try my notepad.jpg test file in photoshop, just curious. |
|
mysec
Premium
join:2005-11-29
1 edit | 
|
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
2 edits | reply to redxii
OK, Avast! gave me a new VPS this morning, so I decided to test again with your new files.
Using Avast! VPS 0601-3
»testing.OnlyTheRightAnswers.com/notepad.bmp Avast! caught it
»testing.OnlyTheRightAnswers.com/notepad.emf Avast! caught it..but Opera had a dialog first.
»testing.OnlyTheRightAnswers.com/notepad.gif Avast! caught it
»testing.OnlyTheRightAnswers.com/notepad.ico Avast! caught it
»testing.OnlyTheRightAnswers.com/notepad.jpeg Avast! caught it
»testing.OnlyTheRightAnswers.com/notepad.jpg Avast! caught it
»testing.OnlyTheRightAnswers.com/notepad.png Avast! caught it
»testing.OnlyTheRightAnswers.com/notepad.tiff Avast! caught it..Opera had a Dialog first.
»testing.OnlyTheRightAnswers.com/notepad.wmf Avast! caught it
Offline Test
------------
wmfexploit116.zip (couldnt find a 117) Avast! caught 'em
HOWEVER...the new sys32.zip...it got through completely!
I even scanned the zip, and the files after extracting..Avast! didnt say Boo. :-(
Ah Man.
I tried one of the files..all associated with ACDSee...it opened to a blank white file...but since I don't have the shimgvw.dll it didn't open notepad. I checked in ProcessExplorer, ACDSee did try it tho, it had all the GDI32 stuff going because IT was veiwing it. 
SO...unpatched 98SE with latest Avast! VPS is vulnerable to 117. Other AV's IDK.
My conclusion for an unpatched 98SE box is:
1. Uninstall Windows Imaging and/or regsvr32 -u shimgvw.dll
Damn. I woulda been 0wN3D if this was real and I had those components to exploit.
-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to redxii
I can't test to see if the patch worked. Bit Defender eats the zip file and has a process guard (now I have the regular version) so I have two process guards now popping up about anything that would access/change the registry. BD sees ALL nine files and deletes each one. That is impressive. I'll have to test my 98Se box.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
1 edit | reply to redxii
VirusTotal Scan | 
Jotti Scan |
If yer unpatched, yer in trouble..
-CaFF |
|
PapaDos
Cum Grano Salis
Premium,MVM
join:2001-02-08
Lasalle, QC | reply to redxii
On 98SE, nothing seems to run, even when IrFanView (3.98) is associated with WMF and EMF filetypes.
--
Festina Lente |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | reply to redxii
Bit Defender free on my 98SE box also eats all of these if I download and scan the zip file but it has no real time monitor so I was not happy to confirm that if one has ANY software for images other than MSPaint it appears one is screwed. The saddest thing about this is that Microsoft's OWN APPLICATION SCREWS ME! I really didn't think MS would have the balls to give the finger to all 98SE users and claim that this is NOT a critical patch for 98SE. It most definitely is as far I can see. I am not positive though because of the strange image that opens in MS Picture It. Does just having one of the tests open MS Picture It! to the odd image I've included mean this box is vulnerable? (I sure hope not).
Results are:
bmp MSPaint with message not a valid format
sys32emf Opens in MS Picture It! to weird image
sys32gif red x in IE
ico Open With? I choose MSPaint and get the message Not a vaiid bit map file
sys32jpeg red x in IE
sys32 jps red x in IE
png red X in IE
tiff opens Kodak Imaging Preview with message that
the document format is invalid or unsupported.
wmf opens MS Picture It! with weird image
EDIT: I guess I can associate emf and wmf with Script Sentry as I did in XP before the patch.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
mysec
Premium
join:2005-11-29
| reply to ZOverLord
said by ZOverLord  :Could you please try my notepad.jpg test file in photoshop, just curious. Also curious why the difference in error messages when opening your notepad.jpg in Irfan view - clicking OK just closes everything:
_________________________________
And the test.jpg file that starts calc.exe - when opened in Irfanview and clicking either YES or NO runs the file:
_______________________________________
|
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
3 edits | Not sure try the sys32 file located at:
»testing.OnlyTheRightAnswers.com/sys32.zip it goes after the Notepad.exe in the system32 directory.
Yeah, calc is located in the system32 directory, so it's possible there is no notepad.exe in your windows directory so maybe my sys32.zip files will launch notepad from your system32 directory.
Most systems have notepad in BOTH the windows directory and the Windows\system32 directory
Plus my test files are built with the latest exploit version 1.17 which is FILLED with randomness, so your other example might have more fixed headers than mine, but it also maybe built with an older version as well.
In other words, some graphic viewers may be more sensitive than others if the headers vary from normal, others might not.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
