| WIKI | FAQ | Tech FAQ | |
 http://csua.com/feed/ | |
| ||||||
| 11/23 |
| 2006/1/3-5 [Computer/SW/OS/Windows] UID:41214 Activity:nil |
1/3 Regarding the WMF vulnerability, is it true that if you're using
Firefox 1.5, you'll always be prompted when there's a WMF image on a
web page? I know those using IE are SOL unless they install the 0-day
patch from Ilfak Guilfanov mentioned here:
http://www.grc.com/sn/notes-020.htm
This part is funny:
"Anti-Virus vendors quickly updated and began pushing out their A-V
signature files. These have been effective, but a new very flexible
exploit generation tool has appeared that's able to create so many
different variations of the exploit that A-V signatures are having
trouble keeping up."
More info on how bad an infection can be here:
http://blogs.zdnet.com/Ou/index.php?p=143&tag=nl.e589
(Note that author does not address Ilfak's fix.)
And just found out you can be infected by a (WMF-encoded) file with a
.jpg extension:
http://www.f-secure.com/weblog/archives/archive-012006.html#00000759
(you can also be infected if Google Desktop indexes the image)
Other image extensions can also infect you:
http://isc.sans.org/diary.php?storyid=992
(Is this for real? "McAfee announced on the radio yesterday they saw
6% of their customer having been infected with the previous generation
of the WMF exploits. 6% of their customer base is a huge number.")
Pre-patch, try executing an innocuous hacked WMF file:
http://isc.sans.org/diary.php?storyid=1006
http://sipr.net/test.wmf
\_ Just use the regsvr32 /u fix.
\_ http://isc.sans.org/diary.php?storyid=994
says do both. Doing the /u alone may not work because there may
be "other avenues of attack against the Escape() function in
gdi32.dll", and "we have some very stong indications that simply
unregistering the shimgvw.dll isn't always successful"
\_ For starters I've turned off image viewing in my browser. The
net is a lot faster now and I don't think I'm missing anything.
I long for the days of gopher!
\_ /usr/local/bin/lynx.
\_ better: /usr/local/bin/links |
| www.grc.com/sn/notes-020.htm If you have previously installed an earlier version of Ilfak's WMF patch you do not need to update to any later versions. Ilfak has simply been extending the patch's platform compatibility (adding Windows 2000 and various service pack support) and adding features for silent administrative deployment in corporations. This is Ilfak's small and simple WMF vulnerability test program. It safely and benignly checks to see whether your system is currently vulnerable to the newly-discovered WMF vulnerability. It can be used to test your system's pre- and post-installation vulnerability with and without Ilfak's vulnerability suppression patch installed. audio program, #21, which will be devoted to complete coverage of the latest news about this significant Windows vulnerability. Word of this spread rapidly through the hacker community -- many of whom where presumably on holiday vacation from school, bored, and looking for something to do. Note that this is not a "new vulnerability" -- it (and perhaps other similar bugs) have been lying unknown in Windows since 1991. What's "new" is the discovery of this long-present vulnerability in Windows' metafile processing. Anti-Virus vendors quickly updated and began pushing out their A-V signature files. These have been effective, but a new very flexible exploit generation tool has appeared that's able to create so many different variations of the exploit that A-V signatures are having trouble keeping up. dll unregistration) that provides very little protection. There's is not a cure, and it is not known how long the Windows user community will now be waiting for a true patch from Microsoft. Ilfak Guilfanov (see GREEN box below) produced a highly-effective true patch which successfully suppresses all known exploitable vulnerabilities for anyone using Windows 2000, XP, server 2003, or 64-bit XP. No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming. But anyone using Windows 2000, XP, server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit suppressor into all of their systems. Ilfak has produced a WMF Vulnerability Checker -- Many users want to verify that their "exploit suppressed" systems are now safe to use. And others want to see whether their anti-virus A-V systems are now detecting some WMF exploit code. dll" (shell image viewer) was never correct or useful on those platforms. The good news is that all current WMF exploits appear to be non-functional on the older Win9x vintage platforms . so you will likely be okay until Microsoft has updated your system with the next security patches. There is no short-term workaround for Windows 9x/SE/ME users. Ilfak Guilfanov, well known in "reverse engineering" circles for his wildly popular IDA Disassembler, needed a temporary patch for his own system due to the seriousness of the WMF vulnerability (see RED box below) . This safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability. Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. You do NOT need to unregister the DLL as described in the RED box below. All versions of Windows from Windows 98 through ME, NT, 2000, XP, and 2003 are known to be vulnerable, and a large and rapidly growing number of malicious exploits (57 at last count) are already circulating in the wild. They are being actively used to install malware and Trojans into user's machines. Although NOT a complete solution, Microsoft has recommended temporarily disabling the automatic display of some images by the operating system and web browser. THIS IS NOT A COMPLETE SOLUTION, but it significantly lowers the risk from this vulnerability from web surfing. Note that this WILL temporarily disable the "Thumbnail" view in Windows Explorer and Window's Image and FAX viewer. This is by design, since these viewers are no longer safe to use until a non-vulnerable file has been produced by Microsoft and installed. If all goes well, you will receive a confirmation prompt, and your system is now safe. No need to reboot, but you might want to just to be sure that any possible currently loaded instance is flushed out. Tack Tech SRVANY Page Resolving Hamachi and Remote Desktop logon troubles: The Hamachi client must be run as a Windows service to prevent logon name collisions that occur when a remote Hamachi user attempts to logon using Windows remote desktop as the same user their local Hamachi client is logged on as. This can be resolved by running the local Hamachi client as a Windows service which causes the local Hamachi client to run in the SYSTEM account. The Tack Tech page link above is one of many pages on the web describing how to run applications as services. You can simply "Google" for the string "SRVANY" to find many more . McAfee's Free WPA Software If you have older WiFi equipment that won't run under WPA, you may be able to use McAfee's free WPA client in its "Pre-Shared Key" or "Disable Authentication" mode to get your older equipment running. However, since McAfee is desperately trying to sell you more than you need (a dynamic WiFi endpoint authentication service), you MUST READ THIS page carefully and be sure to choose the "Disable Authentication" option when installing the client. You don't need their for-pay dynamic authentication subscription service since the use of your system-wide pre-shared key is completely sufficient. Just a reminder that GRC (this site) runs a set of really terrific Internet security and privacy oriented newsgroups. Discussions page, (linked at the bottom of every page), provides an introduction to our groups. And we now have a very active and terrific "Security Now!" group on the server where many listeners are participating. If you've never checked it out and if you just can't get enough of solid security and privacy discussion, our news server is the place to go! USENET-style newsgroups have been around for so long that most PCs already have a newsreader built-in. So you can easily configure the newsreader that you already have. Gravity is a highly-configurable and capable USENET-style news forum reading and posting application. Once it's set up and running there's no better way to participate in online threaded discussion forums. Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright 2005 Gibson Research Corporation. Spinrite, ShieldsUP, NanoProbe, and the slogan "It's MY Computer" are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. |
| blogs.zdnet.com/Ou/index.php?p=143&tag=nl.e589 fell for it for a short period of time until I proved that these "fixes" were worthless. To verify these claims, I went to websites known for distributing spyware. In both cases for the Registry Modification and hardware DEP protection, my computer was instantly flooded with popups and warning messages and Process Explorer showed a dozen or more processes and netsh commands secretly destroying my test machine. I tested the registry modification from Mr Athias that was suppose to mitigate the WMF vulnerability attack. The virtual machine was fully patched with Windows XP SP2 and the registry was modified as Mr Athias suggested yet it was completely trashed by spyware. The spyware infections were so nasty that I had to completely destroy and rebuild eight virtual Windows XP machines to verify the results. The registry modification from Mr Athias simply won't protect you. Alex Eckelberry's blog which claims that Windows DEP (Data Execution Prevention) and hardware Execute Disable support on the CPUs could mitigate this WMF vulnerability. Unfortunately, my tests showed that DEP does not protect you against this WMF vulnerability as Eckelberry claims. My virtual machines were infected over and over again even though hardware DEP was enabled. Update: After chatting with Alex Eckelberry, it's clear that Alex was getting conflicting results from mine. PCDoctorGuide were able to get hardware DEP working on the default Windows DEP settings while it didn't protect me. My tests show that the default settings for hardware-enforced DEP do not work but turning on hardware-enforced DEP for all programs did work. After I contacted Microsoft, A Microsoft spokes person admits that software-enforced DEP does not work and informed me that the original advisory has been updated. Here is the actual text of the original advisory and updated advisory: Original advisory: "I have software DEP enabled on my system, does this help mitigate the vulnerability? Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer. Modified advisory as of 12/30/2005: "Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation." While it's great Microsoft responded to my request to fix their advisory the same day on a Friday before New Years Day Weekend, they should not have taken out the last two sentences in the excerpt above. They should have left the following portion in: "By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer. Alex Eckelberry got conflicting results that shows the default Windows XP SP2 DEP settings stops this WMF exploit, my results showed you had to go the extra mile of enabling DEP for all programs on your computer. Microsoft still needs to clarify this and explain why the default DEP settings work sometimes and not others. explained here nicely and Alex include screen shots to help you determine if you're running hardware or software DEP. The default setting on Windows XP SP2 for DEP only protects core Windows components and not extra applications like the "Windows Picture and Fax viewer" (I can't blame Microsoft for this Windows XP SP2 default setting because they were damned if they did and damned if they didn't. You'll need to manually put those legacy applications in the exclusion list but demand that the software vendor provide an update to support DEP. There are some reports that I've been hearing where people can't even get their hardware-enforced DEP to work but there may be some special circumstances and I have not been able to verify it. ini file to turn DEP to the always on setting using "set /noexecute=AlwaysOn". This is not very practical because it doesn't allow for any manual exceptions. My own tests with an Intel Pentium 4 630 30 GHz CPU show that hardware-enforced DEP does work when it's set to "Enable for all programs and services except for those I select". In my case, I can make exceptions to legitimate legacy applications that don't work with DEP protection. It's important to note that DEP mitigates these types of attacks and should only be used as an extra layer of protection in addition to other defenses. dll" at the Start-Run prompt seems to also be very effective. Unfortunately, it kills the ability for Windows Explorer to display thumbnail images but I'm afraid we'll have to live without it until an official patch from Microsoft comes out (hopefully next month's patch cycle). There are new reports that there are certain cases where this fix doesn't work. MSPaint and Lotus Notes can still be exploited even with this DLL unregistered. After earlier fixes actually proved unsuccessful, and more testing with VMWare on a completely patched Windows XP SP2 with modified registry, the official work around from Micros... Waterloo Systems @ 6:33 am December 30, 2005 * Temporary fix for security breach with WMF files The security problem mentioned previously grows apace. One possible temporary solution is to remove the WMF file type. Go to any folder and open the menu Tools-Folder Options- File Types. Scroll down the list of file types until you find WMF Click th... |
| www.f-secure.com/weblog/archives/archive-012006.html#00000759 WMF construction kit Posted by Jarkko @ 18:27 GMT WMFMaker We just received a sample of easy-to-use WMF construction kit. The WMF file it generates is based on "first generation" metasploit exploit which itself was based on the very first WMF exploit found in the wild last week. The application is user-friendly but the user still needs to know how to write assembly payloads (or where to download one). That, in addition to fact that at least some WMF files it generates are buggy, makes this construction kit a minor threat. awarding F-Secure Anti-Virus Client Security 6 with the InfoWorld Best Anti-Spyware Solution -award in their annual Technology of the Year Awards. Comment from Doug Dineley from the InfoWorld Test Center. "F-Secure Anti-Virus Client Security delivered the strongest real-time protection against spyware of all the solutions we tested. in a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw. all versions of Windows back to 30 have the vulnerability in GDI32. Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files... So the vulnerability is there on all platforms but it seems that only Windows XP and 2003 are easily exploitable. Unfortunately this still means that majority of Windows computers out there are vulnerable right now. And at least Windows 2000 becomes vulnerable if you're using many of the available third party image handling programs to open image files. Messagelabs have stopped a very interesting WMF attack today. A new WMF exploit file was spammed from South Korea to a targeted list of a few dozen high-profile email addresses. What makes the case really interesting was the cloak-and-dagger language used in the email which was spoofed to originate from US State Department's security unit. And should you get killed, we will disavow any knowledge of your actions. It's not a bug, it's a feature Posted by Mikko @ 04:13 GMT What exactly is going wrong with the WMF vulnerability? Turns out this is not really a bug, it's just bad design. When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. Microsoft documentation This function was designed to be called by Windows if a print job needed to be canceled during spooling. This really means two things: 1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc 2) This bug seems to affect all versions of Windows, starting from Windows 30 - shipped in 1990! "The WMF vulnerability" probably affects more computers than any other security vulnerability, ever. To quote: isc To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust: This is a bad situation that will only get worse. jpg Some clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen. new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous. It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Meaning that there are hundreds of millions of vulnerable computers in the net right now. Making such tools publicly available when there's no vendor patch available is irresponsible. Everybody associated in making and publishing the exploit knows this. |
| isc.sans.org/diary.php?storyid=992 The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source. Note: We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation. Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files. Infection rate McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. Yellow Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses. We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets. dll on a running system that has had an exploit attempted against it will cause the exploit to succeed. Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000. Note: Tom has taken this thing apart and looked at it very, very closely. dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it. Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. Patching with unofficial patches is very risky business, this comes without any guarantees of any kind. Please do back out these unofficial patches before applying official patches from Microsoft. Belt and suspenders There is possibility to do the proven belt and suspenders approach here. Using the unofficial path and using the workaround from Microsoft together. Just remember to unto the damage done before applying any official patch for this vulnerability. New Snort signatures We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point. Frank also restated some warnings: There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP). One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops. So we're between a rock, a solid surface, and a hard place. The exploits are web based, yet the signature will fail with http_inspect enabled. With it disabled, Snort will miss all rules containing uricontent and pcre/U statements. With it enabled, and flow_depth set to 0, Snort will alert on the exploit, but also process all uricontent rules in such a fashion that its CPU utilization is skyrocketing. The only viable solution at this point is to run two instances of Snort. One with your normal set of rules and http_inspect enabled with either the default or "sane" values for flow_depth. The second instance should run with http_inspect disabled or flow_depth set to 0 (in the appropriate http_inspect_server config line), and process only rules that have to cover a larger than 300 byte area for content matches on ports configured in http_inspect. This two-pronged approach assures that Snorts performance is kept at normal levels, preventing packet loss. Thanks Thanks to all handlers working on this today, especially Lorna, Tom, Kevin, Jim, Scott, Daniel, Patrick and all those I forgot. Wishing all windows machines, their users, owners and administrators a happy New Year, with a bit fewer nasty exploits. |
| isc.sans.org/diary.php?storyid=1006 exe on vulnerable systems but otherwise causes no damage as far as we can tell. As always, test this file before using it on a production or enterprise computer. It's in German but essentially what it does is provides you with a way to check your browser and your email client to see if you are vulnerable. |
| sipr.net/test.wmf ueae ^1iouejorAeA+-ueUYFueAO_2C,Xueoae-L-}>^3u-od uO5CURkeAAass^3ue - 1/2A! |
| isc.sans.org/diary.php?storyid=994 -> handlers.dshield.org/jullrich/wmffaq.html Obviously, we can not check the translation for accuracy, nor can we update them. Most of these translations are hosted on servers operated by the translation authors. The WMF vulnerability uses images (WMF images) to execute arbitrary code. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well. Microsoft announced that an official patch will not be available before January 10th 2006 (next regular update cycle). Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'. Windows XP, (SP1 and SP2), Windows 2003 are affected by the currently circulating exploits. Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS Your mitigation options are very limited. An unofficial patch was made available by Ilfak Guilfanov. Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch. dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. This should allow Windows programs to display WMF files normally while still blocking the exploit. here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. dll on a running system that has had an exploit run against it allowing the exploit to succeed. It might not be a bad idea, but Windows File Protection will probably replace it. Also, once an official patch is available you'll need to replace the DLL. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents. It protects against a wide range of exploits, by preventing the execution of 'data segements'. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit. At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient. E-mail attachments, web sites, instant messaging are probably the most likely sources. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code. Also, do not run as an administrator level users for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'. In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable. If your proxy has some kind of virus checker, it may catch it. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected. org is providing some continuosly improving signatures for snort users. Recent releases of this exploit take advantage of http compression and randomization of the exploit to evade IDS signatures. It very much depends on the exact exploit you are hit with. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY). |