ZOverLord
Premium
join:2003-10-20
Minneapolis, MN | reply to BQuick
Re: Windows MetaFiles still vulnerable
What Happened with the System32 Notepad test? |
|
BQuick
join:2003-11-05
Italy
| reply to redxii
Jottis' results on 1.16
File: sys32.zip
Status:
INFECTED/MALWARE
MD5 a430ebd724ce3c860f56182241000c2f
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Exploit.Win32.WMF-PFV
ClamAV
Found Exploit.WMF.Gen-3
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Exploit.Win32.IMG-WMF (probable variant)
NOD32
Found probably a variant of Win32/Exploit.WMF (probable variant)
Norman Virus Control
Found W32/Exploit.Gen
UNA
Found nothing
VBA32
Found Exploit.WMF |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| I am always curious with this, because if you are doing this on the ZIP file itself, is it really seeing that ALL the files are infected, or does it think that only the .wmf file is infected or does it think just SOME of the files are infected?
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
BQuick
join:2003-11-05
Italy
| reply to redxii
said by ZOverlord :
What Happened with the System32 Notepad test?
As i wrote,thw whole issue was the path to the notepad.When i use the notepad,it uses the C:windows/system32/notepad.exe path,which i had "permit always" in PG.
Your exploit was trying to launche the :Windows/notepad.exe ,which i had not put in PG's permit list (cause it doesn't serve to open my notepad),that's why PG was flagging the attempt.If i put the C:windows/notepad.exe in PG's "permit always" list ,PG doesn't protect you anymore and your exploit is successful. |
|
BQuick
join:2003-11-05
Italy
| reply to redxii
said by ZOverlord :
I am always curious with this, because if you are doing this on the ZIP file itself, is it really seeing that ALL the files are infected, or does it think that only the .wmf file is infected or does it think just SOME of the files are infected?
You mean jotti's scan?
The zip file sys.32 contains only one file (.wmf).I wish i could reply you about the 1.14 zip with the various files in,but none of my AVs can see a single thing,so i ve no idea.Someone with KAV/Bitdefender/NOD32 could tell you that.My AVG and Antivir don't recognize the malicious code. |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| reply to BQuick
Yes, I was not sure if you saw my post I DID add 2 files for you that do launch Notepad from the system32 directory.
The ones you asked for 
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
2 edits | reply to BQuick
I will add ALL the file types to the sys32.zip, give me a minute.
Done....
Actually the NORMAL Zip file is the most current version 1.16 NOT 1.14 |
|
Libra
Premium
join:2003-08-06
USA
| reply to redxii
In the past few pages I have been reading about this notepad.exe. Could someone please explain to me if XPHomesp2 is protected if the dll is unregistered and Ilfax's patch has been applied?
Also, when I do a search for shimgvw.dll (in limited account) it shows up in i386 and system 32. But, if I try to right-click on a jpg file and select Windows Picture and Fax Viewer nothing happens.
RE AVG - when I did KyeU's tests (when he added the inline ones) AVG did find infected files in one or two of the tests. I have "scan all files" in the resident AV settings.
Sincerely, Libra |
|
BQuick
join:2003-11-05
Italy
| reply to ZOverLord
said by ZOverlord :
Yes, I was not sure if you saw my post I DID add 2 files for you that do launch Notepad from the system32 directory.
The ones you asked for
Ah,thanks,i hadn't realised that.Yes,PG doesn't prompt anything and it asks me to create text...With the new path,the exploit works just fine.
quote:
Actually the NORMAL Zip file is the most current version 1.16 NOT 1.14
Yes,i know.Simply when i first saw the links to the files you posted,the "notepad" file link wasn't working.So in the sys32 there was only one and the only way to answer your questions about whether the avs see ONE infected files or ALL of them,was to refer to 1.14 "notepad" files,which i had.But my AVs are useless on this...
Thanks a lot for the customization 
And...Any idea what i could put next to PG to prevent this? |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | NOPE but it sure does not sound good, if PG needs protection on a file by file basis to protect from this exploit.
Maybe someone can suggest settings that could offer more protection.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
BQuick
join:2003-11-05
Italy | reply to redxii
Well,it would protect,if you hadn't the notepad in "permit always",but it's quite irritating to give manual permission to such thing ,since the notepad is used quite often. |
|
BQuick
join:2003-11-05
Italy
| reply to ZOverLord
On the bright side,if you were to really make a hostile attack,and say install a trojan,i think PG would stop it,cause you 'd have to run an exe that is not trusted (while the notepad is).The full version also prevents registry dll injection,so it would be even more hard to put "alien" code to the trusted list.
At least i think. |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
2 edits | reply to BQuick
said by BQuick  :Well,it would protect,if you hadn't the notepad in "permit always",but it's quite irritating to give manual permission to such thing ,since the notepad is used quite often. It's important to note, that Notepad is just a "White Hat" example of this exploit, protecting Notepad from being launched really won't do anything for other things, I could have just as easily ADDED A USER to systems, which in fact would not really Launch any visible program, of course, it would fail, if the current user was NOT Admin, but it would be SILENT so if it failed there would be no warning, AND if it did NOT fail, well a new user with ADMIN privilege's could have been added, that's just ONE example.
Another example would be I could have created a service, that was done silently, so the concept of actually starting a specific program is only part of the total problem.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
 ·AT&T Southwest
| reply to BQuick
I think we have to remember that the Notepad thing is really just for our testing purposes. Many were simply assigning the default "Open" for WMF files to Notepad to be safe as at first that seemed like the simplest and safest app to default to. So that is why all these test files are set to try and Open Notepad.
I wonder though, if the default is set to something else besides Notepad will the test files still atempt to open Notepad or is it based on the OS's Mime type? I'm kind of curious if one just deleted WMF from the list altogether? |
|
SpannerITWks
Premium
join:2005-04-22
| reply to redxii
OK kids here's a seemingly Permanent solution to the Notepad problem that i've just come up with.
Rename notepad.exe to for eg notepad.old. In future launch Wordpad instead to view TXT files. I've just tried it and it works !
Now notepad can NOT launch itself under ANY circumstances.
An alternative And/Or you could maybe make TXT's to only open with an " OPEN WITH " command.
Have a dabble and see what you think.
Spanner
--
I Only Know What I Know, But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
sheiny
join:2005-03-13
Turlock, CA
1 edit | reply to Libra
said by Libra :In the past few pages I have been reading about this notepad.exe. Could someone please explain to me if XPHomesp2 is protected if the dll is unregistered and Ilfax's patch has been applied? The patch protects you. ZOverlord's point is that AVs alone have a hard time preventing this exploit. BTW, OneCare has alerted on all these files in real-time. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR | reply to SpannerITWks
Please explain how this helps by not opening Notepad? Notepad is not the issue. |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
2 edits | reply to SpannerITWks
I think we all need to realize this is NOT about people launching Notepad, they would NOT be that Kind, it is simply a visual example to show that the Notepad window is hidden, but I make the message box appear because the file it is trying to open is not found, I do this for visual reasons, others would not.
If I have a command shell that can launch Notepad ("That Normally would have been hidden") that same command shell COULD be used in a hidden manner to do ANYTHING a command shell could do for that currently logged on user, and even if things failed, in most cases, since this is all going on in a hidden way, there would be no ERROR visible.
Worse, if that file that a Non-Admin accessed made it do disk, even browser cache, and an Admin opened the folder it was in or viewed file properties, or for example Google Desktop was on that system, then once an Admin did log on, there would be no privilege problem. The same exploit that failed "Silently" would now succeed "Silently".
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR | Has anyone tried your test files on a system that has applied the leaked MS patch? |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
1 edit | Hmmm, good question the most current test files, not sure. I think they did with the 1.14 test files but not sure about the 1.16 test files.
I would suspect based on how that patch works, that it will not allow this exploit, with the current versions in use.
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
