WMF exploit History

Renewed interest has been show in Image file exploits - malware enbeded in .jpg, .doc - https://www.wilderssecurity.com/showthread.php?t=251875


So for those that wern't around at the time, or maybe have forgotten ...

Here's how the WMF exploit all started in December 2005, then spread around the world, and the resulting aftermath.

-

First worm using the new WMF vulnerability has been found - http://www.f-secure.com/weblog/archives/archive-122005.html

-

Deep investigation commenced on grc.com

-

" The guys at F-Secure, while they were fetching a file in a DOS box, it infected their machine because they had Google's desktop search system going. And it turns out, when they fetched the file, Google's desktop system indexed it. And the process of indexing the file caused the exploit to run. "

-

A SERIOUS new Windows vulnerability - http://www.grc.com/sn/sn-020.htm

The Windows MetaFile (WMF) Vulnerability - http://www.grc.com/sn/sn-021.htm

The Windows MetaFile Backdoor? - http://www.grc.com/sn/sn-022.htm

WMF MICE detection utility - http://www.grc.com/wmf/wmf.htm

-

Lots of testing started on Wilders + broadbandreports, amongst lots of other places. These are just a few examples of all the threads and posts in various areas -


New Windows Vulnerability - https://www.wilderssecurity.com/showthread.php?t=113044

Help me understand this .wmf exploit a little better - https://www.wilderssecurity.com/showthread.php?t=114052

BOClean, WMF and Limited User Accounts? - https://www.wilderssecurity.com/showthread.php?t=113506

" The exploit is a datafile that runs in WMP, at the system level so being a limited user isn't going to buy you anything. Tricks like this, using programs like WMP that are part of the OS now are how malware authors are getting around the confines of limited user. "


Windows MetaFiles still vulnerable - http://www.broadbandreports.com/forum/remark,15115819

UNTIL This Is Repaired By MICROSOFT - http://www.broadbandreports.com/forum/remark,15138954

More Graphics Vulnerabilities - http://www.broadbandreports.com/forum/remark,15206213

-

" Leo and Steve close the backdoor on the controversial Windows WMF MetaFile Image code Execution (MICE) vulnerability. They discuss everything that's known about it, separate the facts from the spin, explain exactly which Windows versions are vulnerable and why, and introduce a new piece of GRC freeware - MouseTrap - which determines whether any Windows or Linux/WINE system has 'MICE' " - http://www.grc.com/sn/sn-023.htm

-

Windows Metafile vulnerability - http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

 

How can I try it?

 

If you want to test your PC for Graphics Vulnerabilities, i've uploaded a Zipped folder with a whole buch of different test files. These include WMF's and other types too.

Also included in the folder are a number of Security/Vulnerability checkers and Fixers. Although by now everybody should be patched, but i've kept them in for those who might be interested.

The above were all collected from around the time the exploits were happening in 2005/2006.

Originally i also had an extra folder in there with dozens of Live WMF Malware samples i tested, that i'd collected over the period. But i've removed these as a precaution, so ALL the files in the Zip are 100% safe.

*****

It appears the previous Zip didn't work for some unknown reason, even though i downloaded and tested it myself which worked, so i've uploaded a new one. This time there is NO password - ~Link removed. Do not send me a pm instead read the TOS.~

 

It would be great if we knew the .zip password.

 

Isn't the WMF exploit a little bit on the old side to be considered interesting?

Well, in any case, I spotted a hilarious statement in one of those threads linked here, and I'll comment quickly on that.

LOL. That statement is entirely just so wrong that it's downright amusing.

- "Runs in WMP"? No. The original MS06-001 WMF exploit was possible due to a really stupid function in gdi32.dll. It's not a problem with Windows Media Player (WMP) at all. It's a problem in the graphics rendering engine. Even if you had completely wiped out WMP from your system, the WMF exploit still works, because gdi32.dll will be there. Sounds to me like someone got their wmfs and wmvs mixed up. Windows Media Player has had its own share of vulnerabilities, including ones that concern processing of image files, but this exploit is not one of those.

- "at the system level"? No, certainly not. There's nothing "system level" about it. When the exploit runs, it gains the same privileges as the local user. If the local user is admin, it gains admin privileges and owns the whole system. If the local user is a limited user, it only gains limited user privileges and can only affect that limited user account.

- "being a limited user isn't going to buy you anything"? Completely and utterly wrong. If you get hit by the exploit as a limited user, the exploit won't be able to infect other user accounts, modify system files, install kernel-mode rootkits, terminate security products running with higher privileges and so on and so on. While the exploit will still run, the amount of damage it can do is limited to the user profile of the limited user account, no other accounts are affected and neither is the entire system.

- "Tricks like this, using programs like WMP that are part of the OS now are how malware authors are getting around the confines of limited user." That might be the case, if this was actually somehow getting around the confines of limited user - which it's not. Limited user accounts don't prevent you from executing programs. If they did, it would be pretty boring to be a limited user - you wouldn't be able to do anything.

But back to the regular programming now.

 

~snip~

Very useful post - thanks Windchild.

 

DOSawaits et al

Re - PASSWORD for Graphics Vulnerabilities Zip

Previous Zip link removed, see above

-

Windchild

" Isn't the WMF exploit a little bit on the old side to be considered interesting? "

Well maybe not for those who wern't aware of what happened. Plus as i mentioned, Renewed interest has been show in Image file exploits - malware enbeded in .jpg, .doc - https://www.wilderssecurity.com/showthread.php?t=251875 etc ...

Re the LUA etc.

Interesting, i wonder why that was said at the time ?

 

Previous Zip link removed and replaced, please see above