New Windows Vulnerability

Ronjor, thanks for the link.

Secunia write:

"The risks can be mitigated by unregistering "Shimgvw.dll". However, this will disable certain functionalities. Secunia do not recommend the use of this workaround on production systems until it has been thoroughly tested."

When i read this, you have 2 options:

1) a secure environment
2) productivity isn't affected, but you are working in an insecure environment

Easy choice?
Or not an easy one?

 

That's for sure! A side effect I noticed:

https://www.wilderssecurity.com/showthread.php?t=113293

 

Most of them are catching up

 

My mother told me that 2 days ago there were some strange things happening on her computer, and what she described sounded like it was the WMF file attack, but there doesn´t seem to be an infection at all, I think ZoneAlarm or the "deny loading programs/file in iframes" setting, stopped the attack.

I asked her if she saved WMF files but she said no, the only thing that she does is saving images via the contextmenu in IE, and then she previews them in explorer.exe, could that also have triggered the attack? And what the heck does a WMF file look like, is it the same like a gif or jpeg pic?

At the moment I have applied the following workaround, this won´t break the explorer image preview function, but I´ve also read that filetypes with other extensions like GIF, JPEG, PNG can also be used to trigger the exploit, so I wonder if this is enough:

http://www.eweek.com/article2/0,1759,1906211,00.asp?kc=EWRSS03129TX1K0000614

 

Exfol/WebExt using WMF exploit on rotational popups


This is bad.

Exfol/WebExt is a piece of adware that is often offered through popups at various sites.
We saw a post from Tom Fischcer off of the spyware-research mailing list that Exfol was using the exploit. Knowing Exfol’s behavior, we then checked one site that they typical have popups on, wallpapers4u(dot)com.

Ok, here is why this is bad. You don’t have to go to a crack site or a porn site. You got to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited.


Full article here

 

More articles from Sunbelt BLOG:

A note on DEP and the WMF exploit

Exfol/WebExt using WMF exploit on rotational popups

 

Hi Bubba!

I was a little bit faster than you

Look one post below...

 

That's not hard to do

 

Devinco

In answer to your question about recognising the file types by the headers, here's some examples i've put together for you by dragging and dropping the file/s into MiniDumpers window.

I've only shown the first lines for clarity -

These are EXE's -

File name: C:\WINDOWS\Desktop\minidumper.exe
File size: 20KB

0000: 4D 5A 0A 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZ..............

-

File name: C:\Program Files\SpywareBlaster\spywareblaster.exe
File size: 988KB

0000: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............

-

This a JPEG image -

File name: C:\WINDOWS\Desktop\Test.jpg
File size: 52KB

0000: FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 ......JFIF.....H

-

This a GIF image -

File name: C:\WINDOWS\Desktop\Test.gif
File size: 223 Bytes

0000: 47 49 46 38 39 61 0F 00 0F 00 F4 00 00 C4 C2 C4 GIF89a..........

-

This a PNG image -

File name: C:\WINDOWS\Desktop\Xmas\Test.png
File size: 325KB

0000: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 .PNG........IHDR

-

This a ZIP -

File name: C:\WINDOWS\Desktop\Test.zip
File size: 472KB

0000: 50 4B 03 04 14 00 00 00 08 00 0D B5 91 33 66 DC PK...........3f.

-

This a DLL -

File name: C:\WINDOWS\Desktop\winsock.dll
File size: 21KB

0000: 4D 5A 19 00 04 00 00 00 04 00 00 00 FF FF 00 00 MZ..............

-

This a PDF -

File name: C:\WINDOWS\Desktop\Test.pdf
File size: 107KB

0000: 25 50 44 46 2D 31 2E 32 20 0D 25 E2 E3 CF D3 0D %PDF-1.2 .%.....

-

Hope that helps

. . .

I went to wallpapers4u(dot)com and nothing happened ! http://img513.imageshack.us/img513/8573/smile6ju.gif


StevieO

 

John Herron at NIST.org is reporting that all recent versions of Lotus Notes is vulnerable to the MS WMF zero-day exploit. The WMF file can be renamed to a JPG extension and Lotus Notes will still be vulnerable. Lotus Notes uses the same graphics rendering engine (shimgvw.dll) used by Internet Explorer in the current exploit. Click here to see the full analysis article.

 

The first line of infected WMF files is:

00000000h: 01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 ; ......R.....=...

 

Nice work guys.

I read about this yesterday here on Wilders and actually passed on the info to my boss. Who thought it was the old wmf exploit.

He even researched it (so he said) and told me so. After some research and testing myself, I showed him he was wrong. Me needs a new job. Anyone hiring?

Cheers to all of you for these great posts.

 

With reference to the above quote, the article below, the 'Magic of magic byte' is worth a look. It illustrates the potential danger of not looking past the first indicators when using this method to define files :-

http://www.securityelf.org/magicbyte.html


http://www.my-smileys.de/smileys2/8_2_78.gif

 

Did you use IE? It took a minute or so for the action to begin

wallpapers4u Test ​

 

eyes-open

Yes good point ! I looked at that site in March this year when it was mentioned here

Bypass of 22 Antivirus software with GDI+ bug...

http://www.dslreports.com/forum/remark,12840825~days=9999

Other good info at www.securityelf.org too

http://www.securityelf.org/whitepapers.html


Rmus had a nice thread here a few weeks ago

Do You Trust Known File Extensions?

https://www.wilderssecurity.com/showthread.php?t=109689


This is the test that Andrey did last year for an "Undetectable" JPEG.

Bypass of Antivirus software with GDI+ bug exploit Mutations.

http://www.securityelf.org/jpeg.html


The AV vendors of course now pick up on it, as did mine when i tried to save it to my desktop. I disabled my AV to continue testing.

This is what MiniDump shows -

File name: C:\WINDOWS\Desktop\bulzano2.jpg
File size: 71KB

0000: FF D8 FF E0 00 10 4A 46 49 46 00 01 02 01 00 4B ......JFIF.....K
0010: 00 4B 00 00 FF ED 19 1C 50 68 6F 74 6F 73 68 6F .K......Photosho
0020: 70 20 33 2E 30 00 38 42 49 4D 03 E9 00 00 00 00 p 3.0.8BIM......
0030: 00 78 00 07 00 00 00 48 00 48 00 00 00 00 02 DB .x.....H.H......
0040: 02 40 FF E7 FF EE 02 FF 02 52 1F 03 05 28 03 FC .@.......R...(..
0050: 00 01 00 00 01 2C 01 2C 00 00 00 00 06 AE 05 A0 .....,.,........
0060: 01 2C 00 2D 05 A0 5E EC 00 26 02 01 01 01 00 18 .,.-..^..&......
0070: 00 01 27 0F 00 01 00 01 00 00 00 00 00 00 00 00 ..'.............
0080: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 ................
00A0: 00 00 04 02 04 05 00 00 00 00 38 42 49 4D 03 ED ..........8BIM..
00B0: 00 00 00 00 00 10 00 4B 00 00 00 01 00 01 00 4B .......K.......K
00C0: 00 00 00 01 00 01 38 42 49 4D 03 F3 00 00 00 00 ......8BIM......
00D0: 00 08 00 00 00 00 00 00 00 00 38 42 49 4D 04 0A ..........8BIM..
00E0: 00 00 00 00 00 01 00 00 38 42 49 4D 27 10 00 00 ........8BIM'...
00F0: 00 00 00 0A 00 01 00 00 00 00 00 00 00 02 38 42 ..............8B

I also tested it with the JPEGScan from www.diamondcs.com.au/jpegscan that i've used before and that Andrey mentions, just out of curiosity, even though i know it's a different vulnerability, and it didn't pick up on it.

So it appears that reading the headers is a good idea, but not the whole story as it may not always display other things that could be revealing !

Rmus

Yes i am using IE, and i was surprised that nothing happened immediately on wallpapers4u(dot)com as it did when i went to unionseek.com the other day ! I spent about 5 minutes or so trying out the different links to no avail ? The pretty pictures had nothing to do with the " exposure time ", honest lol. I've just tried again and still nothing !

It's possible that because i'm on 98SE with both it and IE Tightly bolted down, that i am able to escape all these kind of exploits that i keep attempting ? Makes me feel " Cautiously " confident anyway.

StevieO

 

That must be it, so loosen some of those bolts so that you can enjoy these exploits

regards,

-rich
________________
~~Be ALERT!!! ~

 

Correct me if i'm wrong but it looks to me you didn't block the WMF exploit per se from working, rather the stuff it downloaded and tried to install couldn't do any damagae except for putting stuff on your desktop.

To the end user it doesn't make any difference i suppose, but your test is actually showing that the stuff the exploit tried to install couldn't do much damage, not that you actually stopped the exploit from working in the first place.

 

Yes, you are right.

 

StevieO,

Thank you for the excellent information and the file header examples!!
Always wanted to learn about magic bytes.



eyes-open,

Thanks for the link to Wayne's informative article.
Who would have guessed Wayne was also the author of security articles?

 

@ StevieO & Devinco

As the subject of magic bytes/file signatures has already come up in this thread. It doesn't seem too OT to add a little more.

To be clear I don't say magic bytes have no value, just that there is a need to double check and not take on face value. In fact as a beginner, I think they're a neat way of dipping your toes into reading Hex as a practical exercise.

Kye-U has cleverly used the hex form of file signatures as a way of filtering out .WMF files with Proxomitron:-

https://www.wilderssecurity.com/showpost.php?p=643186&postcount=16

That being clarified and as there is some interest I came across this more exhaustive and fairly recent list of file signatures.

http://www.garykessler.net/library/file_sigs.html

Regards

eyes-open

 

Thank you eyes-open! That is a good comprehensive list.

 

There are some things that I don´t understand about the WMF exploit:

1 IE can´t display wmf files right? So it will ask you if you want to save or open the file, in my case with XnView. If you open it, there is no problem if XnView is not using the vulnerable dll file and it´s not as far as I know. If you save the file you can get affected if you preview it in explorer.

2 But if the exploit is triggered, a good firewall/IPS should be able to stop this right?

3 I´ve read that renamed gif, jpegs can also be risks, but you need to rename them first right? And I don´t see why you would want to do this.

4 About the magic byte issue, can´t this be shutdown with the following IE security setting set to disabled? :

"Open files based on content, not file extension"

Feedback will be appreciated.

 

Wow guys, do a google search for 'unionseek' and you get tons of websites flooded with big news about this exploit.
A possible safer way to test this would be to test this exploit in a VIRTUAL ENVIRONMENT/VIRTUAL MACHINE. Then you won't let the real physical operating system get infected hands-down. Testing this in a NON-virtual environment with tight security measures and lockdowns may be ok. Quite adventurous.

 

Thank you for the warning Nadirah.