15 replies [Last post]
thepineapplehead
thepineapplehead's picture
Offline
Guru
Last seen: 1 year 8 weeks ago
Timezone: GMT+1
Joined: 2004-06-30
Posts: 9668
Points: 801

I'm sure you've all read about it by now, but for anybody using Windows, it is imperative that you disable the dll which renders wmf files and their information.

http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

DOWNLOAD THE PATCH NOW!!!

~DC:UK~ wrote:
Unofficial Patch available

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.

Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com.
Patch can be downloaded here: http://www.hexblog.com/security/files/wmffix_hexblog13.exe

Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

There are more than 70 variants of this exploit now. Not all Anti-Virus products can detect them all either:

73 samples WMF Exploit tested with Anti-Virus Programs

Detected all 73 samples (100% detection rate):

AntiVir, Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro and VirusBuster.

Number of detections other AV Programs (NOT a 100% score):

62 -QuickHeal
60 - AVG
18 - F-Prot
6 - Ikarus
6 - VBA32

Beware if you use any of the 5 above.

Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll.

So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised.

It has to be noted that in this case the attack vector of web browsers seems significantly smaller than that of explorer+third party programs.

It has now made its way into e-cards posing as happy new year cards and the first worm to exploit this has also been detected.

Quote:
On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with a anonymous source.

The exploit generates files:

with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;

a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.

Currently the only way to protect against this is to use the unofficial patch. You can read about it on Ilfak Guilfanov's site: http://www.hexblog.com/2005/12/wmf_vuln.html

Verschwindende wrote:
  • CSS doesn't make pies

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 4 years 40 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

.WMF XP exploit

Cheers TPH I had missed this one.

It just beggars belief I have just spent a fruitless day trying to track down an IE problem to absolutely no avail whilst on an extremely tight deadline for a job, I am utterly sick of windows and it's ******* poor excuse for an operating system with every new OS released MS manage to get themselves and us in an even greater pickle.

I love the work around for this one I'm currently needing to work off Win picture viewer to view a PS layout .

My new new year resolution is to buy a Mac and actually actively use my Linux distro and never again use windows on the internet I've simply had enough time wasted trying to keep XP functioning especially with MS patches that do their level best to bring your system crashing down - rant over.

Happy new year MS Oups

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

thepineapplehead
thepineapplehead's picture
Offline
Guru
Last seen: 1 year 8 weeks ago
Timezone: GMT+1
Joined: 2004-06-30
Posts: 9668
Points: 801

.WMF XP exploit

I want to use my built PC, upgrade it, get a nice TFT, and stick Linux on. THen play my games, and browse the web with firefox. And never deal with MS ever again.

Verschwindende wrote:
  • CSS doesn't make pies

roytheboy
roytheboy's picture
Offline
Guru
North Wales, UK
Last seen: 6 years 12 weeks ago
North Wales, UK
Timezone: GMT+1
Joined: 2004-09-18
Posts: 2233
Points: 41

.WMF XP exploit

Hugo wrote:
Cheers TPH I had missed this one.

Maybe you should consider joining this mailing list > http://www.securiteam.com/mailinglist.html You get a lot of mail, but you'll never miss a security warning Wink

Life's a b*tch and then you die!

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 4 years 40 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

.WMF XP exploit

Probably a good idea but I am normally pretty on the ball when it comes to exploits, used to spend a lot of time in security forums and the like then I found the the real trick to security don't visit potentially dodgy sites, and have 7 layers of security now including hardware SPI and NAT not that that will stop WMF files

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

Chris..S
Chris..S's picture
Offline
Moderator
Last seen: 7 years 3 weeks ago
Timezone: GMT+1
Joined: 2005-02-22
Posts: 6078
Points: 173

.WMF XP exploit

Here are some more details ... http://www.f-secure.com/weblog/ ... including a link to a third party hotfix ( http://www.hexblog.com/2005/12/wmf_vuln.html ).

Chris..S
Chris..S's picture
Offline
Moderator
Last seen: 7 years 3 weeks ago
Timezone: GMT+1
Joined: 2005-02-22
Posts: 6078
Points: 173

.WMF XP exploit

f-secure wrote:

What exactly is going wrong with the WMF vulnerability?

Turns out this is not really a bug, it's just bad design. Design from another era.

...

2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!

"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

thepineapplehead
thepineapplehead's picture
Offline
Guru
Last seen: 1 year 8 weeks ago
Timezone: GMT+1
Joined: 2004-06-30
Posts: 9668
Points: 801

.WMF XP exploit

Another update, an exe file has been released to patch the exploit. It's unofficial, but allows you to use Picture Viewer again.

Quote:
The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

Do this first - re-enable the shim dll Laughing out loud

Then download the exe from here:

~DC:UK~ wrote:
Unofficial Patch available

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.

Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com.
Patch can be downloaded here: http://www.hexblog.com/security/files/wmffix_hexblog13.exe

Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

There are more than 70 variants of this exploit now. Not all Anti-Virus products can detect them all either:

73 samples WMF Exploit tested with Anti-Virus Programs

Detected all 73 samples (100% detection rate):

AntiVir, Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro and VirusBuster.

Number of detections other AV Programs (NOT a 100% score):

62 -QuickHeal
60 - AVG
18 - F-Prot
6 - Ikarus
6 - VBA32

Beware if you use any of the 5 above.

Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll.

So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised.

It has to be noted that in this case the attack vector of web browsers seems significantly smaller than that of explorer+third party programs.

It has now made its way into e-cards posing as happy new year cards and the first worm to exploit this has also been detected.

Quote:
On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with a anonymous source.

The exploit generates files:

with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;

a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.

Currently the only way to protect against this is to use the unofficial patch. You can read about it on Ilfak Guilfanov's site: http://www.hexblog.com/2005/12/wmf_vuln.html

Verschwindende wrote:
  • CSS doesn't make pies

Chris..S
Chris..S's picture
Offline
Moderator
Last seen: 7 years 3 weeks ago
Timezone: GMT+1
Joined: 2005-02-22
Posts: 6078
Points: 173

.WMF XP exploit

:?

I posted that link a day and a half ago Laughing out loud

thepineapplehead
thepineapplehead's picture
Offline
Guru
Last seen: 1 year 8 weeks ago
Timezone: GMT+1
Joined: 2004-06-30
Posts: 9668
Points: 801

.WMF XP exploit

D'oh, so you did Laughing out loud

Verschwindende wrote:
  • CSS doesn't make pies

Chris..S
Chris..S's picture
Offline
Moderator
Last seen: 7 years 3 weeks ago
Timezone: GMT+1
Joined: 2005-02-22
Posts: 6078
Points: 173

.WMF XP exploit

Quote:
turns out half the planet tried to download WMFFIX_HEXBLOG.EXE from Ilfak Guilfanov's personal website (hexblog.com). The resulting traffic amounts were so huge that his hosting provider actually shut his site down.

Good thing we got in early - before everyone else arrived back from their holidays.

Its good to know Microsoft is taking lots of time to thoroughly test their own critical update :?

PS. The site is backup, apparently streamlined and alternate d/l locations can be found at (or should that be "on") http://216.227.222.95

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 4 years 40 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

.WMF XP exploit

No Chris that should have been 'IN' :roll:

I suppose he might have seen that coming :? but how charitable of his hosts to shut him down, what a nice helpful bunch. My hosts would have probably offered to host that page on one of their many backup/idle servers at no cost.

I am gratified that it seems MS are ensuring that a patch isn't rushed out too quickly, before that is, there is definite need for it and it is proved that this is not just a lot of people crying wolf, I hardly think the most serious exploit in the history of computers ever, needs to be rushed at, or should that be rushed on in to?

Hugo.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

wolfcry911
wolfcry911's picture
Offline
Guru
MA, USA
Last seen: 5 years 32 weeks ago
MA, USA
Timezone: GMT-5
Joined: 2004-09-01
Posts: 3224
Points: 237

.WMF XP exploit

did someone say cry wolf?

roytheboy
roytheboy's picture
Offline
Guru
North Wales, UK
Last seen: 6 years 12 weeks ago
North Wales, UK
Timezone: GMT+1
Joined: 2004-09-18
Posts: 2233
Points: 41

.WMF XP exploit

Hugo wrote:
...but how charitable of his hosts to shut him down, what a nice helpful bunch. My hosts would have probably offered to host that page on one of their many backup/idle servers at no cost.

Given the amount of traffic, any switched-on host would have made plenty of bandwidth available in return for a banner ad at the top of the page. What a fabulous missed opportunity :roll:

Life's a b*tch and then you die!

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 4 years 40 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

.WMF XP exploit

Quote:
Given the amount of traffic, any switched-on host would have made plenty of bandwidth available in return for a banner ad at the top of the page. What a fabulous missed opportunity


Exactly what dunces, the revenue possibilities :roll: not that I'm that mercenary.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

Chris..S
Chris..S's picture
Offline
Moderator
Last seen: 7 years 3 weeks ago
Timezone: GMT+1
Joined: 2005-02-22
Posts: 6078
Points: 173

.WMF XP exploit

The patch was released by Microsoft last thursday. Windows Update should install it.