beerbum
Premium
join:2000-05-06
Reading, PA
clubs:
| reply to dp
Re: Windows MetaFiles still vulnerable
NAV users there is a new def file out that should catch it... just came down on my live update... »securityresponse.symantec.com/av···.56.html |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | reply to Libra
said by Libra  :REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra You should be fine, but explorer will keep crashing and you wouldn't want to risk accidently running it in the admin account. unregister it anyway until it is fixed
The reason I mentioned that is because Security Focus claims that it will run with SYSTEM privileges, regardless of the logged on user's privileges. However, I am unable to find such behavior. It always runs with the user's privs.
Can't comment on 98SE. I don't have a virtual machine for that even though I have the install CD.
Windows 2000 SP4 didn't seem to have any WMF/EMF associations or the picture viewer that XP/2003 has.. so it is safe from automagic execution in explorer or on the web. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
 ·AT&T Southwest
| reply to KyeU
So I'm assuming this server tries all 4 but in sticking within thread, option 2. is the one we are concerned about now. This is the IFRAME/wmf exploit. Or is it a combination of all four?
I'm still waiting to see just what the attack vector is.
As was reported earlier, unless something has changed, the exploit attempts an ftp session to download the xxx.exe file. |
|
KyeU
join:2003-12-31
Canada | The other 3 methods are standard driveby methods that have existed for a while now.
The new one is the WMF file exploit. |
|
Libra
Premium
join:2003-08-06
USA
| reply to redxii
REDXII1234,
Thank you very much. I unregistered shimgvw.dll in the XP computer.
I checked file types in 98se and I didn't see any WMF or EMF types. I also searched for the shimgvw.dll and nothing came up.
I imagine when MS makes a fix we should first register the file and then get the update - does it matter?
I appreciate your help.
Sincerely, Libra |
|
sum guy
| reply to redxii
Hey all, I came here by way of slashdot (you know, stuff that matters)
I got tagged by a trojan using the same exploit on IRC. And yes, I knew what it was, but I accidentally doubclicked it while submitting to trendmicro.
This is much worse than potential spyware, this exploit is silent and can easily be used to drop keyloggers, or in my case, it opened up a shell back to the guy i was chatting with.
I closed the outbound connection with TCP View, but it took out explorer.exe with it.
here's some of my chat with the owner of the trojan
[X] the code will give a connect back shell to my IP
[X] :}
[ME] does it only run in RAM?
[X] i think so =]. its just one time code excution.....
...
[X] [*] HTTP Client connected from HIS.IP:3683 using Windows XP, sending pay
[X] load...
[X] [*] Got connection from HIS.IP:80 MY.IP:4755
[X] Microsoft Windows XP [Version 5.1.2600]
[X] (C) Copyright 1985-2001 Microsoft Corp.
[X] C:\Documents and Settings\Me>
[X] right  ?
[ME] yea, i just realized i didn't quite hit cancel in time
[ME] i think i killed it
[ME] but it also took explorer.exe with it
[X] :}
[X] yes u killed it
[X] heh
[X] its nice clean code
[X] :} I ran it again and it opened on a different port. Also, I saw over on /. that metasploit has a plugin for this exploit. |
|
KyeU
join:2003-12-31
Canada | What's HIS.IP?  |
|
Sum Guy
| If you really want it, the link to his wmf is still active. |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to redxii
Found the following, and much more detailed WMF related info here:
(not sure if this is important as a possible vector)Although the Windows Metafile format is specific to Microsoft Windows, many non-Windows-based applications support this format as a method for interchanging graphical data with Windows applications. Because of the widespread popularity of the Microsoft Windows GUI, the Windows Metafile format has become a staple format for graphical applications and is therefore supported on most platforms. For example, Adobe's Encapsulated PostScript (EPS) supports the use of an included Windows Metafile when required to store vector-based data. [emphasis mine]
Kye-U, thanks for the Proxo filters! |
|
rds24a
Teach Your Children
Premium
join:2000-12-13
Springboro, OH
clubs:
·RoadRunner Cable
1 edit | reply to beerbum
I would be interested in see if someone with a spare machine can check if NAV actually catches and cleans this. I ran a manual liveupdate even though I already had 12/28 defs and found almost a dozen updates that auto LU hadn't applied. My confidence is low.
--
All hail JoePa |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to redxii
US-CERT Advisory
Just received the following e-mail notification:
Microsoft Windows Metafile Handling Buffer Overflow
Original release date: December 28, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Systems running Microsoft Windows
Overview
Microsoft Windows is vulnerable to remote code execution via an error
in handling files using the Windows Metafile image format. Exploit
code has been publicly posted and used to successfully attack
fully-patched Windows XP SP2 systems. However, other versions of the
the Windows operating system may be at risk as well.
I. Description
Microsoft Windows Metafiles are image files that can contain both
vector and bitmap-based picture information. Microsoft Windows
contains routines for displaying various Windows Metafile formats.
However, a lack of input validation in one of these routines may allow
a buffer overflow to occur, and in turn may allow remote arbitrary
code execution.
This new vulnerability may be similar to one Microsoft released
patches for in Microsoft Security Bulletin MS05-053. However, publicly
available exploit code is known to affect systems updated with the
MS05-053 patches.
Not all anti-virus software products are currently able to detect all
known variants of exploits for this vulnerability. However, US-CERT
recommends updating anti-virus signatures as frequently as practical
to provide maximum protection as new variants appear.
US-CERT is tracking this issue as VU#181038. This reference number
corresponds to CVE entry CVE-2005-4560.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary
code if the user is persuaded to view a specially crafted Windows
Metafile.
III. Solution
Since there is no known patch for this issue at this time, US-CERT is
recommending sites follow several potential workarounds.
Workarounds
Please be aware US-CERT has confirmed that filtering based just on the
WMF file extension or MIME type "application/x-msmetafile" will not
block all known attack vectors for this vulnerability. Filter
mechanisms should be looking for any file that Microsoft Windows
recognizes as a Windows Metafile by virtue of its file header.
Do not access Windows Metafiles from untrusted sources
Exploitation occurs by accessing a specially crafted Windows Metafile.
By only accessing Windows Metafiles from trusted or known sources, the
chances of exploitation are reduced.
Attackers may host malicious Windows Metafiles on a web site. In order
to convince users to visit their sites, those attackers often use URL
encoding, IP address variations, long URLs, intentional misspellings,
and other techniques to create misleading links. Do not click on
unsolicited links received in email, instant messages, web forums, or
internet relay chat (IRC) channels. Type URLs directly into the
browser to avoid these misleading links. While these are generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.
Block access to Windows Metafiles at network perimeters
By blocking access to Windows Metafiles using HTTP proxies, mail
gateways, and other network filter technologies, system administrators
may also limit other potential attack vectors.
Reset the program association for Windows Metafiles
Remapping handling of Windows Metafiles to open a program other than
the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent
exploitation via some current attack vectors. However, this may still
allow the underlying vulnerability to be exploited via other known
attack vectors.
Advisory here. |
|
catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
1 edit | reply to rds24a
Re: Windows MetaFiles still vulnerable
NAV picks it up as of today's update.
Calls it Bloodhound.Exploit.56
»securityresponse.symantec.com/av···.56.html
Edit: Yes, I've run it on MS VM and NAV picked it up. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| reply to rds24a
said by rds24a :I would be interested in see if someone with a spare machine can check if NAV actually catches and cleans this. I ran a manual liveupdate even though I already had 12/28 defs and found almost a dozen updates that auto LU hadn't applied. My confidence is low. Or do it in VMware.
--
Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check almost daily)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer. |
|
SUMware
Premium
join:2002-05-21
| reply to redxii
From the Microsoft Security Advisory (912840):
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005Reading e-mail in plain text does mitigate this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk.
Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation. Received another e-mail stating: "If the file is sent with a different extension Windows may still open the file and become infected. (Magic number detection. The first five bytes are [expressed as octal numbers]:
\327\315\306\232\000)". |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| reply to redxii
And this from recently from SANS:
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you. |
|
purelander
Premium
join:2003-07-11
忍
| reply to redxii
^^^. |
|
eburger68
Premium,MVM
join:2001-04-28
| reply to redxii
Hi All:
IE-SPYAD users should see this thread in the Security Vendors forum for an interim update to IE-SPYAD:
»IE-SPYAD Interim Update - 28 Dec. 2005
Best,
Eric L. Howes
--
Microsoft MVP
Sunbelt Software Consultant
Spyware Warrior |
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs: | I imagine it is like DEFCON-1 in Redmond right now. All hands on deck! |
|
mysec
Premium
join:2005-11-29 | reply to redxii
I went to the unionseek.com site last night before it was shut down.
When the viewer opened, the dropper (ioo.exe) was blocked from executing. End of exploit.
 |
|
badd
join:2001-10-04
De Queen, AR
·Windstream
| reply to redxii
If anyone is still following this thread I ham more info. Customer called last night and when I got over there his computer was all-messed up. He was hit by one of the variants of this and it installed the following files winstall.exe and cws_secure32.html hijack. A red X warning came up in the task bar saying windows had found a trojan on the computer click here to remove when he clicked on it, it tried to install spysheriff on his computer and would not go anywhere else. I am still wading through his computer digging out other things. He fudges on telling the truth about what sites he goes to so I can't believe half of what he says he clicked on and didn't so I have no idea how many other files this has dropped. Will look for all that has been posted here. Here is some information that might be of help.
There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.
It would not let me insert the picture that goes with this alos has part of the code that it would not insert sorry
The exploit is currently being used to distribute the following threats:
Trojan-Downloader.Win32.Agent.abs
Trojan-Dropper.Win32.Small.zp
Trojan.Win32.Small.ga
Trojan.Win32.Small.ev.
Some of these install hoax anti-malware programs the likes of Avgold.
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.
As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.
F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates.
We expect Microsoft to issue a patch on this as soon as they can.
Sorry about the long post but think it is important |
|
