how-to block ads
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
| Windows MetaFiles still vulnerable »redxii.blogspot.com/2005/12/vuln···ing.html
Basically Microsoft had released a patch in November fixing an execution flaw in Windows MetaFiles. Doing my dark side of the world wide web runs on a fully patched XP SP2 virtual machine, it became apparent that MetaFiles are still executing code even with the patch.
KAV didn't catch it. It caught the programs running after the fact, but still missed some stuff. | |
|  | |
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | Re: Windows MetaFiles still vulnerable Kinda funny. I found it out on my own then while I was typing it up other people are in the know at the same time. I did not go to unionseek or heard of it until other people were posting WMF file code execution
Except i'm wondering what the hell happened. They released a patch fixing metafile code execution, and two months later we have metafile code execution even with the said patch. Except this time it is actually in the wild.
"The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine."
Atleast in my testing, this does not appear to be the case. I think they are confusing the fact that most people run as admin, and once the code is executed it creates services that are run as SYSTEM. It for sure died in a restricted account. | |
| | | | | 
rds24a
Teach Your Children
Premium
join:2000-12-13
Springboro, OH
clubs:
 ·RoadRunner Cable
1 edit | Re: Windows MetaFiles still vulnerable I would be interested in see if someone with a spare machine can check if NAV actually catches and cleans this. I ran a manual liveupdate even though I already had 12/28 defs and found almost a dozen updates that auto LU hadn't applied. My confidence is low.
--
All hail JoePa | |
| | | | | | | | 
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by rds24a  :I would be interested in see if someone with a spare machine can check if NAV actually catches and cleans this. I ran a manual liveupdate even though I already had 12/28 defs and found almost a dozen updates that auto LU hadn't applied. My confidence is low. Or do it in VMware.
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check almost daily)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. | |
| 
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
 ·AT&T Southwest
1 edit | Re: And this from F-Secure..... »www.f-secure.com/weblog/#00000753
Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.
Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
(some of these blocks already exist in my MVPS Hosts file)
And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow...
Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.
You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?
The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.
So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows. | |
| jp10558
Premium
join:2005-06-24
Willseyville, NY
| Re: Windows MetaFiles still vulnerable Ok, I missed this as the title and WMF searches missed vs what was used at the blog where I heard of it. I'll post what I asked in the new thread:
Question, I use Directory Opus to replace Explorer for the file manager... And DO uses it's own image viewer. Am I affected?
Also, it sounds like just setting some other image viewer as default for wmf images would protect you - but would another viewer automatically be safe as they would not have SYSTEM user prividledges, or do they all use the Windows dll that's vulnerable?
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 3;Proxomitron 4.5j Grypen 12/2/05(Opera mod),GPG ID:0x0A1C6EE3 | |
| |
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
1 edit | Re: Windows MetaFiles still vulnerable I just sent Red a PM asking him to check that very thing using InfranView.
This is what was said by F-Secure here:
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first. | |
| | | jp10558
Premium
join:2005-06-24
Willseyville, NY
| Re: Windows MetaFiles still vulnerable So, if I go to such a page, I'll get a prompt about viewing the picture, and if I say no, no problem... So there's no vulnerability just in seeing images on a web page, it has to launch Windows Picture and Fax viewer?
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 3;Proxomitron 4.5j Grypen 12/2/05(Opera mod),GPG ID:0x0A1C6EE3 | |
| | | |
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| Re: Windows MetaFiles still vulnerable From SANS today:
The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on »www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.
Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.
While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.
********************************
I know of some guys who downloaded the file "wmf_exp.wmf" to further investigate it. | |
| | |
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | I installed Irfanview. It executed in the Thumbnail viewer of Irfanview, and when trying to open it it executed before I could select it in the Open dialog (and thumbnails weren't enabled).
Again, it's clear to me it's not going to execute with SYSTEM otherwise the limited account would also have been owned.
explorer.exe 964 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, GDI32.dll,
USER32.dll, SHLWAPI.dll, SHELL32.dll,
ole32.dll, OLEAUT32.dll, BROWSEUI.dll,
SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,
CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll,
NETAPI32.dll, WININET.dll, WLDAP32.dll,
VERSION.dll, UxTheme.dll, ShimEng.dll,
AcGenral.DLL, WINMM.dll, MSACM32.dll,
USERENV.dll, comctl32.dll, comctl32.dll,
appHelp.dll, CLBCATQ.DLL, COMRes.dll,
cscui.dll, CSCDLL.dll, themeui.dll,
Secur32.dll, MSIMG32.dll, xpsp2res.dll,
actxprxy.dll, LINKINFO.dll, ntshrui.dll,
ATL.DLL, WINSTA.dll, webcheck.dll,
WSOCK32.dll, WS2_32.dll, WS2HELP.dll,
stobject.dll, BatMeter.dll, POWRPROF.dll,
SETUPAPI.dll, WTSAPI32.dll, wdmaud.drv,
msacm32.drv, midimap.dll, NETSHELL.dll,
rtutils.dll, credui.dll, iphlpapi.dll,
urlmon.dll, rsaenh.dll, browselc.dll,
MPR.dll, MRxVPCNP.dll, vmsrvc.dll,
drprov.dll, davclnt.dll, DUSER.dll,
MSGINA.dll, ODBC32.dll, comdlg32.dll,
odbcint.dll, MLANG.dll, SAMLIB.dll,
shimgvw.dll, gdiplus.dll, rarext.dll,
shellex.dll, shdoclc.dll, NTMARTA.DLL
Still in SP2 fully updated and SP1 without any further patches it dies in a limited account. | |
| | | | prana
join:2005-03-22
Australia
4 edits | Re: Windows MetaFiles still vulnerable The exe file it downloads... cj.exe
Take this with a grain of salt, this is from a 5 minute disassembly and not detailed. Will do that later when I have more time. Or leave it for the Anti-virus companies 
WMF exploit has not got a standard Magic Byte
01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 �. ..�R�..�.=...
non standard magic byte of D7 CD C6 9A
The trojan file has two entry points, one for the DLL and one for the PE section. The PE entry point has the following characteristics.
Grabs local time.
Checks for Windows Internet Connectivity
Copies itself into multiple DLLs in System32, dvob.dll, oewrgm.dll, sh.dll, wqxk.dll.
Registers CLSID to run as a BHO
Opens FTP connection to download a file 66.36.231.141 with
username user21 ,
FTP username password user21:ma5gjdH5
Adds the registry name for the below classes
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object
The following keys are added in the CLSID classes.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03c02f31-a63c-440a-ae37-ac9282f01af7}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67269857-3057-42f4-9233-f9c2abb59953}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cde6d49d-a863-4d07-aec3-7d83b5ab7ce5}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bda45f3-735e-4df8-90e9-2c68ed2567b6}\InProcServer32
Appends subkeys to CLSID "Apartment" with a valuename of ThreadingModel to the DLLs Grabs filename of the exe file.
Creates mutex name "3094flcxvdf"
The FTP site!
C:\>ftp 66.36.231.141
Connected to 66.36.231.141.
220 sst
User (66.36.231.141:(none)): user21
331 Password required for user21.
Password:
230 User user logged in.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
226 Transfer ok
ftp> pwd
257 "/" is current directory.
ftp> ls -la
200 Port command successful.
150 Opening data connection for directory list.
226 Transfer ok
ftp>
The following files are created in your system32 dir
dvob.dll
oewrgm.dll
wqxk.dll
sh.dllin the particular sample I tested... which are copies of the trojan downloaded with a different filename for the alternative entry point for the binary
edited: some updated info | |
| | | | | | | | | | |
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | Re: Windows MetaFiles still vulnerable said by jbob :it's up to over 50 variants and counting now. More sites are popping up too. The number of websites seem bloated. There are many websites, but many more call out to a "master" website. You may get it from site 1, 2, 3, 4, and 5 but all those others get the exploit code from say site 4.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool. | |
| | | | | 
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| and a bit more:
»www.theinquirer.net/?article=28590 : "...you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft.
* UPDATE Ken Dunham, director at iDefense, said the zero day WMF exploitation threat affecting fully patched versions of XP and Windows 2003 Web Server is underway."
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide | |
| | visormiser
Premium
join:2004-02-10
Alexandria, VA
| Re: Windows MetaFiles still vulnerable Washingtonpost.com's Security Fix blog includes a hack from iDefense that it says should help mitigate this threat by disabling the rendering of WMF files:
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears. | |
| redwolfe_98
join:2001-06-11 | i don't know if it will help, but i added the "WMF" file extention to "scriptdefender's" list of protected "scripts".. | |
| | | Shadye
Premium
join:2004-10-21
Fallbrook, CA
1 edit | Re: Windows MetaFiles still vulnerable Yeah, turn on DEP.
Spoke too soon. There's a workaround out.
REGSVR32 /U SHIMGVW.DLL
That will stop WMF from being automatically displayed in IE, but you can still open the file and get infected. | |
| |
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
2 edits | said by pcdebb :can i assume at this early stage there isnt a patch/fix for this? well, the unregistration hack described above (using "regsvr32 /u shimgvw.dll" ) seems to work for now...
LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok.
is only ms picture viewer vulnerable? we have wmf associated with psp... | |
| | | noway1
join:2004-11-29
| Re: Windows MetaFiles still vulnerable said by gracie :...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. | |
| | | | 
CyberSchnook1
Disciple of Christ Jesus
Premium
join:2005-08-26
USA
| Re: Windows MetaFiles still vulnerable said by noway1 :said by gracie :...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. I didn't, with XP Home SP2. Go figure.
--
O
o
p!
I fell off the edge of the island again! | |
| | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Windows MetaFiles still vulnerable said by CyberSchnook1 :said by noway1 :said by gracie :...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. I didn't, with XP Home SP2. Go figure. Ilfak and Steve Gibson say that it is UNnecessary to unregister the dll and recommend that you do not do so. Microsoft, on the other hand, says you should if you don't have Windows One Care. Naturally, MS would recommend unregistering the dll because they do not recognize or approve of anyone using the unofficial patch.
»castlecops.com/t143199-Is_it_sti···dll.html
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" | |
| | |
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore.
this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide | |
| | | | jp10558
Premium
join:2005-06-24
Willseyville, NY
| Re: Windows MetaFiles still vulnerable Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been?
If that fails, I'm betting that teatimer and processguard will catch the registry and executions respectively.
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 3;Proxomitron 4.5j Grypen 12/2/05(Opera mod),GPG ID:0x0A1C6EE3 | |
| | | | | 
Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ
clubs:
| Re: Windows MetaFiles still vulnerable said by jp10558 :Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been? I'd assume that all firewalls that provide outbound protection would prompt the user, unless they've already created a rule allowing all FTP traffic from the windows FTP client program.
What you're assuming here is that people do have a good firewall. Nine tenths of them don't.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB. | |
| | | | | | | | | | |
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
2 edits | Re: Windows MetaFiles still vulnerable said by jbob :I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files. Ok in short unless one unregisters shimgvw.dll (doing so, I didn't require a restart) it is going to execute code. I told Irfanview to register WMF and EMF and they were still able to execute code even outside of Irfanview.
Again, it only runs with the same privileges as the user.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool. | |
| | | | | | | Libra
Premium
join:2003-08-06
USA
| Re: Windows MetaFiles still vulnerable said by redxii :Again, it only runs with the same privileges as the user.
REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra | |
| | | | | | | |
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | Re: Windows MetaFiles still vulnerable said by Libra :REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra You should be fine, but explorer will keep crashing and you wouldn't want to risk accidently running it in the admin account. unregister it anyway until it is fixed
The reason I mentioned that is because Security Focus claims that it will run with SYSTEM privileges, regardless of the logged on user's privileges. However, I am unable to find such behavior. It always runs with the user's privs.
Can't comment on 98SE. I don't have a virtual machine for that even though I have the install CD.
Windows 2000 SP4 didn't seem to have any WMF/EMF associations or the picture viewer that XP/2003 has.. so it is safe from automagic execution in explorer or on the web. | |
| | | | | | | | | Libra
Premium
join:2003-08-06
USA
| Re: Windows MetaFiles still vulnerable REDXII1234,
Thank you very much. I unregistered shimgvw.dll in the XP computer.
I checked file types in 98se and I didn't see any WMF or EMF types. I also searched for the shimgvw.dll and nothing came up.
I imagine when MS makes a fix we should first register the file and then get the update - does it matter?
I appreciate your help.
Sincerely, Libra | |
| | | | | | prana
join:2005-03-22
Australia | Right click infected my sandbox.
I have posted all samples and related DLLs to an AV vendor for signatures.
| |
| | | | 
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| said by gracie :WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore. this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo. I havn't applied the hack myself but just skimming through related registry classes it appears there is a lot of functionality which would be broken.
I am wondering if we could narrow it down to a particular CLSID code we could set the kill on instead?
--
Get hpHOSTS! Member ASAP
George Bush is lying to you. | |
| | | | |
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| Re: Windows MetaFiles still vulnerable said by hpguru :skimming through related registry classes it appears there is a lot of functionality which would be broken. indeed...i just had a problem with my ocr program saving a file it scanned in notepad. was able to copy and paste the text, open notepad on my own, and save the file fine. suspect it's related.
hopefully, you gurus will come up with a better workaround, or ms will patch quickly.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide | |
| | | | |
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
1 edit | Control Panel -> Folder Options -> File Types. Find and delete EMF and WMF.
Edit: Ok that will keep it from downloading automagically but it will still execute when browsing to a folder with the files ... | |
| 
norwegian
Premium
join:2005-02-15
Outback | thanks for the heads up, unregistered SHIMGVW.DLL for now | |
| redwolfe_98
join:2001-06-11
·RoadRunner Cable
| i got an alert about this issue from "computer associates" ("etrust"). here is their "workaround"/"recommendations":
"Reduce exposure by disabling the automatic rendering of WMF files.
To unregister shimgvw.dll, execute the following command:
regsvr32 /u shimgvw.dll
To enable shimgvw.dll, use the following command:
regsvr32 shimgvw.dll" -end CA "recommendations"
my question is, how do we "disable automatic redering of WMF files"? i wasn't sure if the instructions to "unregister" "shimgvw.dll" were for doing that, or not.. | |
| jp10558
Premium
join:2005-06-24
Willseyville, NY | I've gone and done the registry fix, as I don't use Windows Fax viewer ... but can we undo it once there's a patch?
How would we do that? | |
| |
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| Re: Windows MetaFiles still vulnerable said by jp10558 :I've gone and done the registry fix, as I don't use Windows Fax viewer ... but can we undo it once there's a patch? How would we do that? once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide | |
| KyeU
join:2003-12-31
Canada
| I've created two Proxomitron filters to help protect the user against downloading/loading .WMF images.
Web Filter:
[Patterns]
Name = "Kill .WMF [Kye-U]"
Active = TRUE
Bounds = "<*>"
Limit = 256
Match = "*.wmf*"
Replace = "$ALERT(.WMF Extension Killed on:\n\n\u)"
Header Filter:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill WMF Connection [Kye-U] (Out)"
URL = "(^*=(^http://*.(^([a-z]+{2,4})(^/))))*.wmf(*)\1$TST(\1=(^/))"
Match = "*&($CONFIRM(.WMF FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with .WMF Extension Killed\k))"
Replace = "\1" | |
| | jp10558
Premium
join:2005-06-24
Willseyville, NY | Re: Windows MetaFiles still vulnerable Thanks Kye-U. With this, do I still need to disable Windows Picture Viewer? | |
| | | KyeU
join:2003-12-31
Canada
1 edit | Re: Windows MetaFiles still vulnerable It would catch most .WMF files I would think. The Web Page Filter kills most standard images with .WMF extension, and the Header Filter catches the connections to *.WMF, this is because heavily encrypted JS files are difficult to match, but their connection requests are out in the open 
I would think it is still safe to disable Windows Picture Viewer, or perhaps even associating the .WMF file extension to Notepad (or another file). | |
| | | | 
Chip
Premium
join:2001-12-23
Connecticut
| Re: Windows MetaFiles still vulnerable said by KyeU :I would think it is still safe to disable Windows Picture Viewer, or perhaps even associating the .WMF file extension to Notepad (or another file). Here's what I tried. I changed the association for WMF/EMF from the viewer to the Foxit pdf reader.I then went to crackz and got the warning box shown above. So far I haven't got the same symptoms that RedXII1234 got when he initially went to the site.
I'm going to take some time and go through the machine and see if I find anything suspicious.
--
The three great strategies for obscuring an issue are to introduce irrelevancies, to arouse prejudice, and to excite ridicule--Bergen Evans | |
| | | | | pier5
join:2002-03-27
34312 | Re: Windows MetaFiles still vulnerable bestserials had this wmf exploit but maxthon/IE opened a dialog asking if I wanted to view the WMF file with its associated viewer. I said "No" and the infection was prevented. | |
| KyeU
join:2003-12-31
Canada
| Beehappyy uses 4 methods to infect the user.
1. Loads free.anr through "{CURSOR: url("free.anr")}", which downloads xxx.exe to the C:\ Drive
2. Loads an IFRAME with the .WMF exploit.
3. Loads a tiny Java applet: "BlackBox.class", which modifies the Windows permissions I think.
4. Uses the Windows CHM Help File exploit. | |
| |
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| Re: Windows MetaFiles still vulnerable So I'm assuming this server tries all 4 but in sticking within thread, option 2. is the one we are concerned about now. This is the IFRAME/wmf exploit. Or is it a combination of all four?
I'm still waiting to see just what the attack vector is.
As was reported earlier, unless something has changed, the exploit attempts an ftp session to download the xxx.exe file. | |
| | | KyeU
join:2003-12-31
Canada | Re: Windows MetaFiles still vulnerable The other 3 methods are standard driveby methods that have existed for a while now.
The new one is the WMF file exploit. | |
| 
sum guy
| Hey all, I came here by way of slashdot (you know, stuff that matters)
I got tagged by a trojan using the same exploit on IRC. And yes, I knew what it was, but I accidentally doubclicked it while submitting to trendmicro.
This is much worse than potential spyware, this exploit is silent and can easily be used to drop keyloggers, or in my case, it opened up a shell back to the guy i was chatting with.
I closed the outbound connection with TCP View, but it took out explorer.exe with it.
here's some of my chat with the owner of the trojan
[X] the code will give a connect back shell to my IP
[X] :}
[ME] does it only run in RAM?
[X] i think so =]. its just one time code excution.....
...
[X] [*] HTTP Client connected from HIS.IP:3683 using Windows XP, sending pay
[X] load...
[X] [*] Got connection from HIS.IP:80 MY.IP:4755
[X] Microsoft Windows XP [Version 5.1.2600]
[X] (C) Copyright 1985-2001 Microsoft Corp.
[X] C:\Documents and Settings\Me>
[X] right ?
[ME] yea, i just realized i didn't quite hit cancel in time
[ME] i think i killed it
[ME] but it also took explorer.exe with it
[X] :}
[X] yes u killed it
[X] heh
[X] its nice clean code
[X] :} I ran it again and it opened on a different port. Also, I saw over on /. that metasploit has a plugin for this exploit. | |
| | KyeU
join:2003-12-31
Canada | Re: Windows MetaFiles still vulnerable What's HIS.IP? | |
| | |
Sum Guy
| Re: Windows MetaFiles still vulnerable If you really want it, the link to his wmf is still active. | |
| SUMware
Premium
join:2002-05-21
1 edit | Found the following, and much more detailed WMF related info here:
(not sure if this is important as a possible vector)Although the Windows Metafile format is specific to Microsoft Windows, many non-Windows-based applications support this format as a method for interchanging graphical data with Windows applications. Because of the widespread popularity of the Microsoft Windows GUI, the Windows Metafile format has become a staple format for graphical applications and is therefore supported on most platforms. For example, Adobe's Encapsulated PostScript (EPS) supports the use of an included Windows Metafile when required to store vector-based data. [emphasis mine]
Kye-U, thanks for the Proxo filters! | |
| SUMware
Premium
join:2002-05-21
1 edit | Just received the following e-mail notification:
Microsoft Windows Metafile Handling Buffer Overflow
Original release date: December 28, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Systems running Microsoft Windows
Overview
Microsoft Windows is vulnerable to remote code execution via an error
in handling files using the Windows Metafile image format. Exploit
code has been publicly posted and used to successfully attack
fully-patched Windows XP SP2 systems. However, other versions of the
the Windows operating system may be at risk as well.
I. Description
Microsoft Windows Metafiles are image files that can contain both
vector and bitmap-based picture information. Microsoft Windows
contains routines for displaying various Windows Metafile formats.
However, a lack of input validation in one of these routines may allow
a buffer overflow to occur, and in turn may allow remote arbitrary
code execution.
This new vulnerability may be similar to one Microsoft released
patches for in Microsoft Security Bulletin MS05-053. However, publicly
available exploit code is known to affect systems updated with the
MS05-053 patches.
Not all anti-virus software products are currently able to detect all
known variants of exploits for this vulnerability. However, US-CERT
recommends updating anti-virus signatures as frequently as practical
to provide maximum protection as new variants appear.
US-CERT is tracking this issue as VU#181038. This reference number
corresponds to CVE entry CVE-2005-4560.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending sites follow several potential workarounds.
Workarounds
Please be aware US-CERT has confirmed that filtering based just on the
WMF file extension or MIME type "application/x-msmetafile" will not
block all known attack vectors for this vulnerability. Filter
mechanisms should be looking for any file that Microsoft Windows
recognizes as a Windows Metafile by virtue of its file header.
Do not access Windows Metafiles from untrusted sources
Exploitation occurs by accessing a specially crafted Windows Metafile.
By only accessing Windows Metafiles from trusted or known sources, the
chances of exploitation are reduced.
Attackers may host malicious Windows Metafiles on a web site. In order
to convince users to visit their sites, those attackers often use URL
encoding, IP address variations, long URLs, intentional misspellings,
and other techniques to create misleading links. Do not click on
unsolicited links received in email, instant messages, web forums, or
internet relay chat (IRC) channels. Type URLs directly into the
browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.
Block access to Windows Metafiles at network perimeters
By blocking access to Windows Metafiles using HTTP proxies, mail
gateways, and other network filter technologies, system administrators
may also limit other potential attack vectors.
Reset the program association for Windows Metafiles
Remapping handling of Windows Metafiles to open a program other than
the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
exploitation via some current attack vectors. However, this may still
allow the underlying vulnerability to be exploited via other known
attack vectors.
Advisory here. | |
| SUMware
Premium
join:2002-05-21
| From the Microsoft Security Advisory (912840):
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005Reading e-mail in plain text does mitigate this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk.
Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation. Received another e-mail stating: "If the file is sent with a different extension Windows may still open the file and become infected. (Magic number detection. The first five bytes are [expressed as octal numbers]:
\327\315\306\232\000)". | |
| | | eburger68
Premium,MVM
join:2001-04-28
| Hi All:
IE-SPYAD users should see this thread in the Security Vendors forum for an interim update to IE-SPYAD:
»IE-SPYAD Interim Update - 28 Dec. 2005
Best,
Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior | |
| | 
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | Re: Windows MetaFiles still vulnerable I imagine it is like DEFCON-1 in Redmond right now. All hands on deck! | |
| mysec
Premium
join:2005-11-29 | I went to the unionseek.com site last night before it was shut down.
When the viewer opened, the dropper (ioo.exe) was blocked from executing. End of exploit.
 | |
| |
See 10 replies to this post | |
badd
join:2001-10-04
De Queen, AR
·Windstream
| If anyone is still following this thread I ham more info. Customer called last night and when I got over there his computer was all-messed up. He was hit by one of the variants of this and it installed the following files winstall.exe and cws_secure32.html hijack. A red X warning came up in the task bar saying windows had found a trojan on the computer click here to remove when he clicked on it, it tried to install spysheriff on his computer and would not go anywhere else. I am still wading through his computer digging out other things. He fudges on telling the truth about what sites he goes to so I can't believe half of what he says he clicked on and didn't so I have no idea how many other files this has dropped. Will look for all that has been posted here. Here is some information that might be of help.
There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.
It would not let me insert the picture that goes with this alos has part of the code that it would not insert sorry
The exploit is currently being used to distribute the following threats:
Trojan-Downloader.Win32.Agent.abs
Trojan-Dropper.Win32.Small.zp
Trojan.Win32.Small.ga
Trojan.Win32.Small.ev.
Some of these install hoax anti-malware programs the likes of Avgold.
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.
As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.
F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates.
We expect Microsoft to issue a patch on this as soon as they can.
Sorry about the long post but think it is important | |
| | matunga
join:2003-07-26
3 edits | Re: Windows MetaFiles still vulnerable DEP enabled for all programs has blocked it. | |
| | |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
 ·AT&T U-Verse
1 edit | Re: Windows MetaFiles still vulnerable said by matunga :DEP enabled for all programs has blocked this [LINK REMOVED] Is that a test or a real-live exploit?
--
WedgeAntilles250
Tom's Rant | |
| | | (topic locked) | |
|
