dslreports logo
Search similar:


uniqs
133811

redxii
Mod
join:2001-02-26
Michigan
Asus RT-AC3100
Buffalo WZR-HP-G300NH2

redxii

Mod

Windows MetaFiles still vulnerable

»redxii.blogspot.com/2005 ··· ing.html

Basically Microsoft had released a patch in November fixing an execution flaw in Windows MetaFiles. Doing my dark side of the world wide web runs on a fully patched XP SP2 virtual machine, it became apparent that MetaFiles are still executing code even with the patch.

KAV didn't catch it. It caught the programs running after the fact, but still missed some stuff.

dp
MVM
join:2000-12-08
Greensburg, PA

dp

MVM

Additional info:

»isc.sans.org/diary.php?s ··· ryid=972
»www.securityfocus.com/bi ··· 074/info

redxii
Mod
join:2001-02-26
Michigan
Asus RT-AC3100
Buffalo WZR-HP-G300NH2

1 edit

redxii

Mod

Kinda funny. I found it out on my own then while I was typing it up other people are in the know at the same time. I did not go to unionseek or heard of it until other people were posting WMF file code execution

Except i'm wondering what the hell happened. They released a patch fixing metafile code execution, and two months later we have metafile code execution even with the said patch. Except this time it is actually in the wild.

"The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine."

Atleast in my testing, this does not appear to be the case. I think they are confusing the fact that most people run as admin, and once the code is executed it creates services that are run as SYSTEM. It for sure died in a restricted account.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
Motorola MB8611
Asus RT-AC86
Asus RT-AC66U B1

1 edit

jbob to redxii

Premium Member

to redxii

Re: And this from F-Secure.....

»www.f-secure.com/weblog/ ··· 00000753

Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz

(some of these blocks already exist in my MVPS Hosts file)

And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:

Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU

"Krasnaya ploshad" is the Red Square in Moscow...

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.
jp10558
Premium Member
join:2005-06-24
Willseyville, NY

jp10558 to redxii

Premium Member

to redxii

Re: Windows MetaFiles still vulnerable

Ok, I missed this as the title and WMF searches missed vs what was used at the blog where I heard of it. I'll post what I asked in the new thread:

Question, I use Directory Opus to replace Explorer for the file manager... And DO uses it's own image viewer. Am I affected?

Also, it sounds like just setting some other image viewer as default for wmf images would protect you - but would another viewer automatically be safe as they would not have SYSTEM user prividledges, or do they all use the Windows dll that's vulnerable?

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
Motorola MB8611
Asus RT-AC86
Asus RT-AC66U B1

1 edit

jbob

Premium Member

I just sent Red a PM asking him to check that very thing using InfranView.

This is what was said by F-Secure here:

Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.

In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.
jp10558
Premium Member
join:2005-06-24
Willseyville, NY

jp10558

Premium Member

So, if I go to such a page, I'll get a prompt about viewing the picture, and if I say no, no problem... So there's no vulnerability just in seeing images on a web page, it has to launch Windows Picture and Fax viewer?

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
Motorola MB8611
Asus RT-AC86
Asus RT-AC66U B1

jbob

Premium Member

From SANS today:

The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on »www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.

While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.
********************************
I know of some guys who downloaded the file "wmf_exp.wmf" to further investigate it.

gracie7
Geek Goddess
Premium Member
join:2003-07-15
confusion

gracie7 to redxii

Premium Member

to redxii
and a bit more:

»www.theinquirer.net/?art ··· le=28590 : "...you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft.

* UPDATE Ken Dunham, director at iDefense, said the zero day WMF exploitation threat affecting fully patched versions of XP and Windows 2003 Web Server is underway."
visormiser
Premium Member
join:2004-02-10
Alexandria, VA

visormiser

Premium Member

Washingtonpost.com's Security Fix blog includes a hack from iDefense that it says should help mitigate this threat by disabling the rendering of WMF files:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to redxii

Premium Member

to redxii
i don't know if it will help, but i added the "WMF" file extention to "scriptdefender's" list of protected "scripts"..

redxii
Mod
join:2001-02-26
Michigan
Asus RT-AC3100
Buffalo WZR-HP-G300NH2

1 edit

redxii to jbob

Mod

to jbob
I installed Irfanview. It executed in the Thumbnail viewer of Irfanview, and when trying to open it it executed before I could select it in the Open dialog (and thumbnails weren't enabled).

Again, it's clear to me it's not going to execute with SYSTEM otherwise the limited account would also have been owned.

explorer.exe                 964 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, GDI32.dll,
USER32.dll, SHLWAPI.dll, SHELL32.dll,
ole32.dll, OLEAUT32.dll, BROWSEUI.dll,
SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,
CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll,
NETAPI32.dll, WININET.dll, WLDAP32.dll,
VERSION.dll, UxTheme.dll, ShimEng.dll,
AcGenral.DLL, WINMM.dll, MSACM32.dll,
USERENV.dll, comctl32.dll, comctl32.dll,
appHelp.dll, CLBCATQ.DLL, COMRes.dll,
cscui.dll, CSCDLL.dll, themeui.dll,
Secur32.dll, MSIMG32.dll, xpsp2res.dll,
actxprxy.dll, LINKINFO.dll, ntshrui.dll,
ATL.DLL, WINSTA.dll, webcheck.dll,
WSOCK32.dll, WS2_32.dll, WS2HELP.dll,
stobject.dll, BatMeter.dll, POWRPROF.dll,
SETUPAPI.dll, WTSAPI32.dll, wdmaud.drv,
msacm32.drv, midimap.dll, NETSHELL.dll,
rtutils.dll, credui.dll, iphlpapi.dll,
urlmon.dll, rsaenh.dll, browselc.dll,
MPR.dll, MRxVPCNP.dll, vmsrvc.dll,
drprov.dll, davclnt.dll, DUSER.dll,
MSGINA.dll, ODBC32.dll, comdlg32.dll,
odbcint.dll, MLANG.dll, SAMLIB.dll,
shimgvw.dll, gdiplus.dll, rarext.dll,
shellex.dll, shdoclc.dll, NTMARTA.DLL
shimgvw.dll doesn't show up in any other place than explorer.exe while viewing thumbnails and pictures in Picture and Fax viewer. Explorer.exe is the same privileges as the user. GDI32.dll shows up in other places.

Still in SP2 fully updated and SP1 without any further patches it dies in a limited account.
prana
join:2005-03-22
Australia

4 edits

prana

Member

The exe file it downloads... cj.exe
Take this with a grain of salt, this is from a 5 minute disassembly and not detailed. Will do that later when I have more time. Or leave it for the Anti-virus companies

WMF exploit has not got a standard Magic Byte

01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 . ..R...=...
non standard magic byte of D7 CD C6 9A

The trojan file has two entry points, one for the DLL and one for the PE section. The PE entry point has the following characteristics.
Grabs local time.
Checks for Windows Internet Connectivity
Copies itself into multiple DLLs in System32, dvob.dll, oewrgm.dll, sh.dll, wqxk.dll.
Registers CLSID to run as a BHO
Opens FTP connection to download a file 66.36.231.141 with
username user21 ,
FTP username password user21:ma5gjdH5
Adds the registry name for the below classes
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object

The following keys are added in the CLSID classes.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03c02f31-a63c-440a-ae37-ac9282f01af7}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67269857-3057-42f4-9233-f9c2abb59953}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cde6d49d-a863-4d07-aec3-7d83b5ab7ce5}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bda45f3-735e-4df8-90e9-2c68ed2567b6}\InProcServer32

Appends subkeys to CLSID "Apartment" with a valuename of ThreadingModel to the DLLs
Grabs filename of the exe file.
Creates mutex name "3094flcxvdf"

The FTP site!
C:\>ftp 66.36.231.141
Connected to 66.36.231.141.
220 sst
User (66.36.231.141:(none)): user21
331 Password required for user21.
Password:
230 User user logged in.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
226 Transfer ok
ftp> pwd
257 "/" is current directory.
ftp> ls -la
200 Port command successful.
150 Opening data connection for directory list.
226 Transfer ok
ftp>

The following files are created in your system32 dir

dvob.dll
oewrgm.dll
wqxk.dll
sh.dllin the particular sample I tested... which are copies of the trojan downloaded with a different filename for the alternative entry point for the binary

edited: some updated info

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
Motorola MB8611
Asus RT-AC86
Asus RT-AC66U B1

jbob

Premium Member

According to Sunbelt Blog: »sunbeltblog.blogspot.com ··· ild.html

it's up to over 50 variants and counting now. More sites are popping up too. Earlier I had seen some guys who downloaded a different file.
jbob

jbob to redxii

Premium Member

to redxii
Thanks, you're the heat! But you kinda lost me a bit.
I am not sure whether the trojan executed while using InfranView or not? You seem to say it did but it was unclear. I'm assuming that the exploitable dll file "shimgvw.dll" was not called by InfranView so the exploit didn't happen and only happens in the instance of using explorer and Picture and Fax viewer?

As you mentioned another good reason to only run as Admin when necessary! Now if I would learn! lol

redxii
Mod
join:2001-02-26
Michigan
Asus RT-AC3100
Buffalo WZR-HP-G300NH2

1 edit

redxii to jbob

Mod

to jbob
said by jbob:

it's up to over 50 variants and counting now. More sites are popping up too.
The number of websites seem bloated. There are many websites, but many more call out to a "master" website. You may get it from site 1, 2, 3, 4, and 5 but all those others get the exploit code from say site 4.

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL

pcdebb to redxii

Premium Member

to redxii
good work guys. can i assume at this early stage there isnt a patch/fix for this? this might be one that I may have to fix on someone's computer soon
Shadye
Premium Member
join:2004-10-21
Fallbrook, CA

1 edit

Shadye

Premium Member

Yeah, turn on DEP.
Spoke too soon. There's a workaround out.
REGSVR32 /U SHIMGVW.DLL
That will stop WMF from being automatically displayed in IE, but you can still open the file and get infected.

gracie7
Geek Goddess
Premium Member
join:2003-07-15
confusion

2 edits

gracie7 to pcdebb

Premium Member

to pcdebb
said by pcdebb:

can i assume at this early stage there isnt a patch/fix for this?
well, the unregistration hack described above (using "regsvr32 /u shimgvw.dll" ) seems to work for now...

LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok.

is only ms picture viewer vulnerable? we have wmf associated with psp...

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to redxii

Premium Member

to redxii
thanks for the heads up, unregistered SHIMGVW.DLL for now
noway1
join:2004-11-29

noway1 to gracie7

Member

to gracie7
said by gracie7:

...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok.
I needed to restart for the fix to work.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to redxii

Premium Member

to redxii
i got an alert about this issue from "computer associates" ("etrust"). here is their "workaround"/"recommendations":

"Reduce exposure by disabling the automatic rendering of WMF files.

To unregister shimgvw.dll, execute the following command:

regsvr32 /u shimgvw.dll

To enable shimgvw.dll, use the following command:

regsvr32 shimgvw.dll" -end CA "recommendations"

my question is, how do we "disable automatic redering of WMF files"? i wasn't sure if the instructions to "unregister" "shimgvw.dll" were for doing that, or not..

gracie7
Geek Goddess
Premium Member
join:2003-07-15
confusion

gracie7

Premium Member

WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore.

this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo.
jp10558
Premium Member
join:2005-06-24
Willseyville, NY

jp10558

Premium Member

Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been?

If that fails, I'm betting that teatimer and processguard will catch the registry and executions respectively.

hpguru
Curb Your Dogma
Premium Member
join:2002-04-12

hpguru to gracie7

Premium Member

to gracie7
said by gracie7:

WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore.

this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo.
I havn't applied the hack myself but just skimming through related registry classes it appears there is a lot of functionality which would be broken.

I am wondering if we could narrow it down to a particular CLSID code we could set the kill on instead?

gracie7
Geek Goddess
Premium Member
join:2003-07-15
confusion

gracie7

Premium Member

said by hpguru:

skimming through related registry classes it appears there is a lot of functionality which would be broken.
indeed...i just had a problem with my ocr program saving a file it scanned in notepad. was able to copy and paste the text, open notepad on my own, and save the file fine. suspect it's related.

hopefully, you gurus will come up with a better workaround, or ms will patch quickly.

Nerdtalker
Working Hard, Or Hardly Working?
MVM
join:2003-02-18
San Jose, CA

Nerdtalker to jp10558

MVM

to jp10558
said by jp10558:

Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been?
I'd assume that all firewalls that provide outbound protection would prompt the user, unless they've already created a rule allowing all FTP traffic from the windows FTP client program.

What you're assuming here is that people do have a good firewall. Nine tenths of them don't.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
Motorola MB8611
Asus RT-AC86
Asus RT-AC66U B1

jbob to jp10558

Premium Member

to jp10558
That would seem likely but who knows. I have read that BOClean already had this trojan covered over a month ago. If it all starts with a simple trojan being downloaded then that would seem simple enough to take care of but I'm not so sure that is all that is happening. Does the exploit cause the trojan download to be attempted using ftp or is the exploit code opening up another hole?

I am reading this from a user on GRC: The question was asked, "Now all we need to find out if the action of right clicking it can infect the system?"

"Said by Not John Lennon"
It appears it can. On my test system so far, all I can get it to do is crash & restart the shell. (Explorer.exe) It doesn't seem to actually infect the system & it's doing it (restarting explorer) just by pointing at the file. No chance to right click, left click, swear at it or anything else. Explorer immediately crashes & restarts. Weird. On another system, it infected it when the file was right clicked. Both systems XP Pro.

I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files.
jp10558
Premium Member
join:2005-06-24
Willseyville, NY

jp10558 to redxii

Premium Member

to redxii
I've gone and done the registry fix, as I don't use Windows Fax viewer ... but can we undo it once there's a patch?

How would we do that?

redxii
Mod
join:2001-02-26
Michigan

1 edit

redxii to hpguru

Mod

to hpguru
Control Panel -> Folder Options -> File Types. Find and delete EMF and WMF.

Edit: Ok that will keep it from downloading automagically but it will still execute when browsing to a folder with the files ...