redxii Mod join:2001-02-26 Michigan Asus RT-AC3100 Buffalo WZR-HP-G300NH2
|
redxii
Mod
2005-Dec-28 5:20 am
Windows MetaFiles still vulnerable» redxii.blogspot.com/2005 ··· ing.htmlBasically Microsoft had released a patch in November fixing an execution flaw in Windows MetaFiles. Doing my dark side of the world wide web runs on a fully patched XP SP2 virtual machine, it became apparent that MetaFiles are still executing code even with the patch. KAV didn't catch it. It caught the programs running after the fact, but still missed some stuff. |
· actions · 2005-Dec-28 5:20 am · (locked) |
dp MVM join:2000-12-08 Greensburg, PA |
dp
MVM
2005-Dec-28 6:03 am
|
· actions · 2005-Dec-28 6:03 am · (locked) |
redxii Mod join:2001-02-26 Michigan Asus RT-AC3100 Buffalo WZR-HP-G300NH2
1 edit |
redxii
Mod
2005-Dec-28 6:19 am
Kinda funny. I found it out on my own then while I was typing it up other people are in the know at the same time. I did not go to unionseek or heard of it until other people were posting WMF file code execution
Except i'm wondering what the hell happened. They released a patch fixing metafile code execution, and two months later we have metafile code execution even with the said patch. Except this time it is actually in the wild.
"The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine."
Atleast in my testing, this does not appear to be the case. I think they are confusing the fact that most people run as admin, and once the code is executed it creates services that are run as SYSTEM. It for sure died in a restricted account. |
· actions · 2005-Dec-28 6:19 am · (locked) |
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR Motorola MB8611 Asus RT-AC86 Asus RT-AC66U B1
1 edit |
jbob to redxii
Premium Member
2005-Dec-28 11:24 am
to redxii
Re: And this from F-Secure.....» www.f-secure.com/weblog/ ··· 00000753Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C. Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch: Crackz [dot] ws unionseek [dot] com www.tfcco [dot] com Iframeurl [dot] biz beehappyy [dot] biz (some of these blocks already exist in my MVPS Hosts file) And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union: Registrant Name: Mikhail Sergeevich Gorbachev Registrant Address1: Krasnaya ploshad, 1 Registrant City: Moscow Registrant Postal Code: 176098 Registrant Country: Russian Federation Registrant Country Code: RU "Krasnaya ploshad" is the Red Square in Moscow... Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer. You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute? The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime. So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows. |
· actions · 2005-Dec-28 11:24 am · (locked) |
|
jp10558 Premium Member join:2005-06-24 Willseyville, NY |
to redxii
Re: Windows MetaFiles still vulnerableOk, I missed this as the title and WMF searches missed vs what was used at the blog where I heard of it. I'll post what I asked in the new thread:
Question, I use Directory Opus to replace Explorer for the file manager... And DO uses it's own image viewer. Am I affected?
Also, it sounds like just setting some other image viewer as default for wmf images would protect you - but would another viewer automatically be safe as they would not have SYSTEM user prividledges, or do they all use the Windows dll that's vulnerable? |
· actions · 2005-Dec-28 1:09 pm · (locked) |
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR Motorola MB8611 Asus RT-AC86 Asus RT-AC66U B1
1 edit |
jbob
Premium Member
2005-Dec-28 1:14 pm
I just sent Red a PM asking him to check that very thing using InfranView.
This is what was said by F-Secure here:
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first. |
· actions · 2005-Dec-28 1:14 pm · (locked) |
jp10558 Premium Member join:2005-06-24 Willseyville, NY |
jp10558
Premium Member
2005-Dec-28 1:17 pm
So, if I go to such a page, I'll get a prompt about viewing the picture, and if I say no, no problem... So there's no vulnerability just in seeing images on a web page, it has to launch Windows Picture and Fax viewer? |
· actions · 2005-Dec-28 1:17 pm · (locked) |
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR Motorola MB8611 Asus RT-AC86 Asus RT-AC66U B1
|
jbob
Premium Member
2005-Dec-28 1:28 pm
From SANS today: The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on » www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild. Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own. While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details. ******************************** I know of some guys who downloaded the file "wmf_exp.wmf" to further investigate it. |
· actions · 2005-Dec-28 1:28 pm · (locked) |
gracie7Geek Goddess Premium Member join:2003-07-15 confusion |
to redxii
and a bit more: » www.theinquirer.net/?art ··· le=28590 : "...you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft. * UPDATE Ken Dunham, director at iDefense, said the zero day WMF exploitation threat affecting fully patched versions of XP and Windows 2003 Web Server is underway." |
· actions · 2005-Dec-28 2:51 pm · (locked) |
visormiser Premium Member join:2004-02-10 Alexandria, VA |
Washingtonpost.com's Security Fix blog includes a hack from iDefense that it says should help mitigate this threat by disabling the rendering of WMF files: 1. Click on the Start button on the taskbar. 2. Click on Run... 3. Type "regsvr32 /u shimgvw.dll" to disable. 4. Click ok when the change dialog appears. |
· actions · 2005-Dec-28 3:17 pm · (locked) |
| |
to redxii
i don't know if it will help, but i added the "WMF" file extention to "scriptdefender's" list of protected "scripts".. |
· actions · 2005-Dec-28 4:25 pm · (locked) |
redxii Mod join:2001-02-26 Michigan Asus RT-AC3100 Buffalo WZR-HP-G300NH2
1 edit |
to jbob
I installed Irfanview. It executed in the Thumbnail viewer of Irfanview, and when trying to open it it executed before I could select it in the Open dialog (and thumbnails weren't enabled). Again, it's clear to me it's not going to execute with SYSTEM otherwise the limited account would also have been owned. explorer.exe 964 ntdll.dll, kernel32.dll, msvcrt.dll, ADVAPI32.dll, RPCRT4.dll, GDI32.dll, USER32.dll, SHLWAPI.dll, SHELL32.dll, ole32.dll, OLEAUT32.dll, BROWSEUI.dll, SHDOCVW.dll, CRYPT32.dll, MSASN1.dll, CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll, NETAPI32.dll, WININET.dll, WLDAP32.dll, VERSION.dll, UxTheme.dll, ShimEng.dll, AcGenral.DLL, WINMM.dll, MSACM32.dll, USERENV.dll, comctl32.dll, comctl32.dll, appHelp.dll, CLBCATQ.DLL, COMRes.dll, cscui.dll, CSCDLL.dll, themeui.dll, Secur32.dll, MSIMG32.dll, xpsp2res.dll, actxprxy.dll, LINKINFO.dll, ntshrui.dll, ATL.DLL, WINSTA.dll, webcheck.dll, WSOCK32.dll, WS2_32.dll, WS2HELP.dll, stobject.dll, BatMeter.dll, POWRPROF.dll, SETUPAPI.dll, WTSAPI32.dll, wdmaud.drv, msacm32.drv, midimap.dll, NETSHELL.dll, rtutils.dll, credui.dll, iphlpapi.dll, urlmon.dll, rsaenh.dll, browselc.dll, MPR.dll, MRxVPCNP.dll, vmsrvc.dll, drprov.dll, davclnt.dll, DUSER.dll, MSGINA.dll, ODBC32.dll, comdlg32.dll, odbcint.dll, MLANG.dll, SAMLIB.dll, shimgvw.dll, gdiplus.dll, rarext.dll, shellex.dll, shdoclc.dll, NTMARTA.DLL shimgvw.dll doesn't show up in any other place than explorer.exe while viewing thumbnails and pictures in Picture and Fax viewer. Explorer.exe is the same privileges as the user. GDI32.dll shows up in other places. Still in SP2 fully updated and SP1 without any further patches it dies in a limited account. |
· actions · 2005-Dec-28 4:29 pm · (locked) |
prana join:2005-03-22 Australia 4 edits |
prana
Member
2005-Dec-28 4:37 pm
The exe file it downloads... cj.exe Take this with a grain of salt, this is from a 5 minute disassembly and not detailed. Will do that later when I have more time. Or leave it for the Anti-virus companies  WMF exploit has not got a standard Magic Byte 01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 . ..R...=... non standard magic byte of D7 CD C6 9A The trojan file has two entry points, one for the DLL and one for the PE section. The PE entry point has the following characteristics. Grabs local time. Checks for Windows Internet Connectivity Copies itself into multiple DLLs in System32, dvob.dll, oewrgm.dll, sh.dll, wqxk.dll. Registers CLSID to run as a BHO Opens FTP connection to download a file 66.36.231.141 with username user21 , FTP username password user21:ma5gjdH5 Adds the registry name for the below classes Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object
The following keys are added in the CLSID classes. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03c02f31-a63c-440a-ae37-ac9282f01af7}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67269857-3057-42f4-9233-f9c2abb59953}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cde6d49d-a863-4d07-aec3-7d83b5ab7ce5}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bda45f3-735e-4df8-90e9-2c68ed2567b6}\InProcServer32
Appends subkeys to CLSID "Apartment" with a valuename of ThreadingModel to the DLLs Grabs filename of the exe file. Creates mutex name "3094flcxvdf" The FTP site! C:\>ftp 66.36.231.141 Connected to 66.36.231.141. 220 sst User (66.36.231.141:(none)): user21 331 Password required for user21. Password: 230 User user logged in. ftp> ls 200 Port command successful. 150 Opening data connection for directory list. 226 Transfer ok ftp> pwd 257 "/" is current directory. ftp> ls -la 200 Port command successful. 150 Opening data connection for directory list. 226 Transfer ok ftp> The following files are created in your system32 dir dvob.dll oewrgm.dll wqxk.dll sh.dllin the particular sample I tested... which are copies of the trojan downloaded with a different filename for the alternative entry point for the binary edited: some updated info |
· actions · 2005-Dec-28 4:37 pm · (locked) |
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR Motorola MB8611 Asus RT-AC86 Asus RT-AC66U B1
|
jbob
Premium Member
2005-Dec-28 5:04 pm
According to Sunbelt Blog: » sunbeltblog.blogspot.com ··· ild.htmlit's up to over 50 variants and counting now. More sites are popping up too. Earlier I had seen some guys who downloaded a different file. |
· actions · 2005-Dec-28 5:04 pm · (locked) |
| jbob |
to redxii
Thanks, you're the heat! But you kinda lost me a bit. I am not sure whether the trojan executed while using InfranView or not? You seem to say it did but it was unclear. I'm assuming that the exploitable dll file "shimgvw.dll" was not called by InfranView so the exploit didn't happen and only happens in the instance of using explorer and Picture and Fax viewer?
As you mentioned another good reason to only run as Admin when necessary! Now if I would learn! lol |
· actions · 2005-Dec-28 5:10 pm · (locked) |
redxii Mod join:2001-02-26 Michigan Asus RT-AC3100 Buffalo WZR-HP-G300NH2
1 edit |
to jbob
said by jbob:it's up to over 50 variants and counting now. More sites are popping up too. The number of websites seem bloated. There are many websites, but many more call out to a "master" website. You may get it from site 1, 2, 3, 4, and 5 but all those others get the exploit code from say site 4. |
· actions · 2005-Dec-28 5:14 pm · (locked) |
pcdebbbirdbrain Premium Member join:2000-12-03 Brandon, FL |
to redxii
good work guys. can i assume at this early stage there isnt a patch/fix for this? this might be one that I may have to fix on someone's computer soon |
· actions · 2005-Dec-28 5:43 pm · (locked) |
Shadye Premium Member join:2004-10-21 Fallbrook, CA 1 edit |
Shadye
Premium Member
2005-Dec-28 5:57 pm
Yeah, turn on DEP. Spoke too soon. There's a workaround out. REGSVR32 /U SHIMGVW.DLL That will stop WMF from being automatically displayed in IE, but you can still open the file and get infected. |
· actions · 2005-Dec-28 5:57 pm · (locked) |
gracie7Geek Goddess Premium Member join:2003-07-15 confusion 2 edits |
to pcdebb
said by pcdebb:can i assume at this early stage there isnt a patch/fix for this? well, the unregistration hack described above (using "regsvr32 /u shimgvw.dll" ) seems to work for now... LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. is only ms picture viewer vulnerable? we have wmf associated with psp... |
· actions · 2005-Dec-28 6:01 pm · (locked) |
norwegian Premium Member join:2005-02-15 Outback |
to redxii
thanks for the heads up, unregistered SHIMGVW.DLL for now |
· actions · 2005-Dec-28 6:03 pm · (locked) |
| |
to gracie7
said by gracie7:...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. |
· actions · 2005-Dec-28 6:11 pm · (locked) |
| |
to redxii
i got an alert about this issue from "computer associates" ("etrust"). here is their "workaround"/"recommendations":
"Reduce exposure by disabling the automatic rendering of WMF files.
To unregister shimgvw.dll, execute the following command:
regsvr32 /u shimgvw.dll
To enable shimgvw.dll, use the following command:
regsvr32 shimgvw.dll" -end CA "recommendations"
my question is, how do we "disable automatic redering of WMF files"? i wasn't sure if the instructions to "unregister" "shimgvw.dll" were for doing that, or not.. |
· actions · 2005-Dec-28 6:21 pm · (locked) |
gracie7Geek Goddess Premium Member join:2003-07-15 confusion |
gracie7
Premium Member
2005-Dec-28 6:25 pm
WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore.
this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo. |
· actions · 2005-Dec-28 6:25 pm · (locked) |
jp10558 Premium Member join:2005-06-24 Willseyville, NY |
jp10558
Premium Member
2005-Dec-28 6:31 pm
Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been?
If that fails, I'm betting that teatimer and processguard will catch the registry and executions respectively. |
· actions · 2005-Dec-28 6:31 pm · (locked) |
hpguruCurb Your Dogma Premium Member join:2002-04-12 |
to gracie7
said by gracie7:WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore. this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo. I havn't applied the hack myself but just skimming through related registry classes it appears there is a lot of functionality which would be broken. I am wondering if we could narrow it down to a particular CLSID code we could set the kill on instead? |
· actions · 2005-Dec-28 6:54 pm · (locked) |
gracie7Geek Goddess Premium Member join:2003-07-15 confusion |
gracie7
Premium Member
2005-Dec-28 6:57 pm
said by hpguru:skimming through related registry classes it appears there is a lot of functionality which would be broken. indeed...i just had a problem with my ocr program saving a file it scanned in notepad. was able to copy and paste the text, open notepad on my own, and save the file fine. suspect it's related. hopefully, you gurus will come up with a better workaround, or ms will patch quickly. |
· actions · 2005-Dec-28 6:57 pm · (locked) |
NerdtalkerWorking Hard, Or Hardly Working? MVM join:2003-02-18 San Jose, CA |
to jp10558
said by jp10558:Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been? I'd assume that all firewalls that provide outbound protection would prompt the user, unless they've already created a rule allowing all FTP traffic from the windows FTP client program. What you're assuming here is that people do have a good firewall. Nine tenths of them don't. |
· actions · 2005-Dec-28 6:57 pm · (locked) |
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR Motorola MB8611 Asus RT-AC86 Asus RT-AC66U B1
|
to jp10558
That would seem likely but who knows. I have read that BOClean already had this trojan covered over a month ago. If it all starts with a simple trojan being downloaded then that would seem simple enough to take care of but I'm not so sure that is all that is happening. Does the exploit cause the trojan download to be attempted using ftp or is the exploit code opening up another hole?
I am reading this from a user on GRC: The question was asked, "Now all we need to find out if the action of right clicking it can infect the system?"
"Said by Not John Lennon" It appears it can. On my test system so far, all I can get it to do is crash & restart the shell. (Explorer.exe) It doesn't seem to actually infect the system & it's doing it (restarting explorer) just by pointing at the file. No chance to right click, left click, swear at it or anything else. Explorer immediately crashes & restarts. Weird. On another system, it infected it when the file was right clicked. Both systems XP Pro.
I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files. |
· actions · 2005-Dec-28 6:58 pm · (locked) |
jp10558 Premium Member join:2005-06-24 Willseyville, NY |
to redxii
I've gone and done the registry fix, as I don't use Windows Fax viewer ... but can we undo it once there's a patch?
How would we do that? |
· actions · 2005-Dec-28 7:05 pm · (locked) |
redxii Mod join:2001-02-26 Michigan 1 edit |
to hpguru
Control Panel -> Folder Options -> File Types. Find and delete EMF and WMF.
Edit: Ok that will keep it from downloading automagically but it will still execute when browsing to a folder with the files ... |
· actions · 2005-Dec-28 7:05 pm · (locked) |