Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows WMF 0-day Exploit


  • Please log in to reply
20 replies to this topic

#1 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:39 PM

Posted 28 December 2005 - 05:19 AM

A new 0-day exploit is in the wild.

Bloodhound.Exploit.56

Exploit-WMF

More details:
Windows WMF 0-day exploit in the wild

Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability

Solution:
1. Update your Antivirus signatures.
2. Wait for a patch. :thumbsup:
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 28 December 2005 - 01:13 PM

I just got a newsletter about this from Kaspersky. Here's part of it:

Kaspersky Lab...has detected
a range of Trojan programs which exploit the Windows Meta File
vulnerability. This vulnerability is rated highly critical, and so far,
no patch has been issued.

The Trojans are classified as Trojan-Downloader.Win32.Agent.acd, as all
the samples detected by Kaspersky Lab come from the same family. New
modifications of these programs may well appear in the near future.

The WMF vulnerability is present in computers running Microsoft Windows
XP with SP1 and SP2, and Microsoft Windows Server 2003 with Service Pack
0 and Service Pack 1. The vulnerability can be exploited when viewing
infected sites with Internet Explorer, Firefox (if certain other
conditions are met), or when previewing *.wmf format files with Windows
Explorer.

Similar article:
http://www.viruslist.com/en/viruses/alerts?alertid=176701669

Note from the SANS article Daisuke linked to that the conditions to be met for someone to be infected thru using Firefox:

a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.


So even tho it may be possible to get infected thru FF, it may be safer than using IE because you can refuse to allow the .wmf file to run. Just say no. :thumbsup: As far as is known at this point, you may get infected using IE just from visiting a website and you wouldn't know until it's too late.

http://www.f-secure.com/weblog/archives/ar...5.html#00000752

Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.

...all versions of Firefox and Opera prompt the user first.


It's also interesting that this exploit is being used to install "hoax anti-malware programs the likes of Avgold."

Known websites that install thru this exploit are listed in the next entry in the F-Secure blog:
http://www.f-secure.com/weblog/archives/ar...5.html#00000753

I'm sure that list will grow. But I'm not going to post them because of this warning:

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows.


The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Daisuke

Daisuke

    Cleaner on Duty

  • Topic Starter

  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:39 PM

Posted 29 December 2005 - 02:06 PM

Kaspersky about the WMF Vulnerability

http://www.viruslist.com/en/weblog?weblogid=176771047

At first glance it seems that hardware-based Data Execution Protection, which is available only with XP/SP2 on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, prevents successful exploitation of the vulnerability.

We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.

This shows that although HW DEP can help, it's by no means a solution.


Perhaps the most worrying thing about this whole issue is that NTFS rights have no effect on whether or not the vulnerability will be exploited.

Some people run under a limited user account (which among other things restricts NTFS rights). This may make people feel that they are protected from malware. In this case, nothing could be much further from the truth.

The attackers seem very well aware of this fact and have already released malware which will be downloaded and executed in a directory where a limited user has execution rights.


Our testing has also revealed that although Windows 2000 is not vulnerable by default, it is potentially vulnerable. If the Windows 2000 system has an image viewer which supports .wmf files installed, there's a high chance that the system will be vulnerable.


Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#4 Daisuke

Daisuke

    Cleaner on Duty

  • Topic Starter

  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:39 PM

Posted 30 December 2005 - 04:55 AM

Wmf 0-day Exploit - Update

Analysts Fret as Adware Makers Leverage WMF Flaw

Another WMF (Windows Major Foul-Up)

Exfol/WebExt using WMF exploit on rotational popups

Update on WMF exploit

Microsoft Security Advisory (912840) - Update
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 BanditFlyer

BanditFlyer

  • Members
  • 283 posts
  • OFFLINE
  •  
  • Local time:08:39 PM

Posted 30 December 2005 - 12:13 PM

I think this might ba the same thing. My first thought whan I read the article was to post here: http://www.updatexp.com/wmf-exploit.html

#6 Daisuke

Daisuke

    Cleaner on Duty

  • Topic Starter

  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:39 PM

Posted 31 December 2005 - 08:35 PM

Yellow alert, second time this week - New exploit released

New exploit released for the WMF vulnerability - YELLOW

We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running.

The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer

From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.


We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.

It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.

Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.

http://www.f-secure.com/weblog/archives/ar...6.html#00000758

Take care !
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 31 December 2005 - 09:01 PM

:thumbsup:

Grinler has made a script to make it easy to work around part of this exploit but as related here, there is not much you can do to cover all bases til MS gets off their duffs.

Windows Metafile exploit mitigation by unregistering shimgvw.dll

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#8 Daisuke

Daisuke

    Cleaner on Duty

  • Topic Starter

  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:39 PM

Posted 01 January 2006 - 06:43 AM

2nd generation WMF 0day Exploit Spammed

WMF FAQ - SANS Internet Storm Center

New WMF exploit attacks via email

Read the FAQ ! Unregister the DLL (see above) and apply the unofficial patch (SANS & Ilfak Guilfanov). Keep your AV up-to-date. Stay tuned !

Edited by Daisuke, 01 January 2006 - 07:00 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:39 PM

Posted 01 January 2006 - 04:20 PM

That FAQ should be required reading for everybody. I'd like to point out a few things, but it shouldn't be a substitute for reading the entire FAQ and keeping up with the latest developments.

First, I don't like the sound of this:

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

Altho it is still up in the air whether or not pre-Win2K operating systems are even subject to this vulnerability, I hope MS will be respnsible enough to provide a patch if they are. They've been trying to phase out older non-NT-based OS's in an effort to force folks to upgrade for a while and they shouldn't let the cyber-criminal element accomplish that for them--in my opinion.

Second, note that the patch is only known to work on 2K and XP at this time. And the workaround by unregistering the shimgvw.dll is only available to operating systems WinME and upward--so that would imply ME is vulnerable.

For the moment, to be on the safer side, those running older operating systems should also do the following along with keeping your resident andti-virus up to date:

1. Use Firefox and Opera only--don't use Internet Explorer. If you are asked to download any image file, regardless of it's extension, refuse permission.

Firefox
Opera for Windows

2. Follow standard best practices for your PC's security. It used to be that image files were safe to open if received as an email attachment. This is no longer the case and they should now be included in the list of executable files that you should avoid opening. Also be aware that the same best practices should be applied to Instant Messaging and P2P file-sharing. The same tricks that have been used to fool the unsuspecting into opening email attachments are also used by IM and P2P and there has been a monumental increase in being infected thru IM recently.

BEST PRACTICES: PC World's Avoid viruses & Scams

Simple and easy ways to keep your computer safe and secure on the Internet

Worm In The Wild Using The Wmf Exploit


3. Disable or uninstall any software that indexes files on your computer. The Google Toolbar has been mentioned, but it unclear if it was being confused with the Google Desktop. Nevertheless, any toolbar with enhanced search features are suspect if you have managed to get an infected file on your system. Other popular free desktop search clients:

MSN Search Toolbar
Windows Desktop Search – enabled for the enterprise
Yahoo! Desktop Search

Ask Jeeves also has a Desktop client in beta and some others are out there.

Edited by Papakid, 02 January 2006 - 08:33 PM.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#10 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:11:39 PM

Posted 02 January 2006 - 02:13 PM

http://www.f-secure.com/weblog/

Monday, January 2, 2006
Posted by Mikko @ 12:17 GMT


Our colleagues and business partners at Messagelabs have stopped a very interesting WMF attack today.

A new WMF exploit file was spammed from South Korea to a targeted list of a few dozen high-profile email addresses.

The email urged recipients to open the enclosed MAP.WMF file - which exploited the computer and downloaded a backdoor from www.jerrynews[dot]com.

What makes the case really interesting was the cloak-and-dagger language used in the email which was spoofed to originate from US State Department's security unit.

E-Mail Content:

Attached is the digital map for you. You should meet that man at those points seperately.

Delete the map thereafter. Good luck.

Tommy" title="From: tommy@security.state.gov

Confidential

Attached is the digital map for you. You should meet that man at those points seperately.

Delete the map thereafter. Good luck.

Tommy">


Posted Image

#11 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:11:39 PM

Posted 02 January 2006 - 06:36 PM

http://isc.sans.org/diary.php?storyid=975
Published: 2005-12-29,
Last Updated: 2005-12-29 11:23:53 UTC by Chris Carboni (Version: 1)




Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.


http://www.f-secure.com/weblog/

Friday, December 30, 2005

WMF, day 3 Posted by Stefan @ 12:29 GMT



And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.


Edited by Scarlett, 05 January 2006 - 10:57 AM.

Posted Image

#12 Daisuke

Daisuke

    Cleaner on Duty

  • Topic Starter

  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:39 PM

Posted 03 January 2006 - 12:05 PM

Microsoft will release a security update next Tuesday

Microsoft Security Advisory (912840)

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.


Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 Daisuke

Daisuke

    Cleaner on Duty

  • Topic Starter

  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:39 PM

Posted 04 January 2006 - 05:21 PM

New WMF exploits on the horizon

At the moment, the number of different WMF exploits we've seen has gotten well past a hundred and more are coming every hour.

But that's not the worst. The most recent exploits show that the bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year.

Not surprisingly, we haven't taken a break either. We released an update to our heuristics which deals not only with the most recent exploits but also with a few tricky ways to exploit the vulnerability which haven't been used in attacks - yet. Just as a precaution, you know.

At the same time, some people, Microsoft included, are busy develping fixes. Our friends from F-Secure have blogged about Ilfak Guilfanov's patch, which is currently the most popular one.

A beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it, warning that threats could be hidden in any patches coming from dubious sources.

Of course, you should never use a patch from an untrusted source, no matter how promising it looks. Ilfak's patch is the only one we can recommend. Make sure you do some testing beforehand, especially if you are going to deploy it on a large number of production machines though. Ilfak, who is the author of the popular IDA disassembler, knows what he's doing, and the work he's put into developing the patch is admirable.

And finally, you should always be very wary of any third party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware.



WMF vulnerability – no official patch yet

Microsoft has responded to the identification of the WMF vulnerability by promising to release a patch on January 10th The patch will be released as part of the scheduled monthly release of security bulletins. At the moment it is being localised and quality tested.

Microsoft itself claims that monitoring of the vulnerability shows that attacks are not widespread and limited in scope. At the same time, the lack of an official patch has opened a window of opportunity for malicious users to exploit. It has been reported that there are now dozens of attacks being carried out, ranging from an MSN worm to spam containing links to malicious websites. One suggestion is that at least a million PCs worldwide have already been affected. It has also been claimed that up to 99% of computers worldwide could be vulnerable to this security flaw.

One indication of the seriousness of the situation is the advice given by some security professionals to install an unofficial Windows patch created by computer expert Ilfak Guilfanov. This is unusual, and those who recommend installing Guilfanov's patch stress that installing third party patches from untrusted sources is highly unwise. Microsoft itself advises against installing third-party add-ons as the company cannot guarantee functionality. However, the only alternative advice Microsoft can offer is to keep antivirus signature files updated, and to sit tight until the official patch is released next week.


Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#14 Daisuke

Daisuke

    Cleaner on Duty

  • Topic Starter

  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:11:39 PM

Posted 05 January 2006 - 02:24 PM

No patch for Windows 98, Windows 98 SE, and Windows Me

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates.


http://www.microsoft.com/technet/security/...ory/912840.mspx

Edited by Daisuke, 05 January 2006 - 02:24 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:11:39 PM

Posted 05 January 2006 - 02:37 PM

:thumbsup: :flowers: M$
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users