New Windows Vulnerability

Discussion in 'other security issues & news' started by TNT, Dec 27, 2005.

Thread Status:
Not open for further replies.
  1. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Last edited: Dec 27, 2005
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: New IE exploit

    Has anyone been able test? Or know what the virus is?

    It won't run on Win2k (.wmf extension is not listed) and I'm not set up to test on my XP laptop.

    Here is the code that launches the file. I was prompted for download using both IE and Opera:

    <iframe src="wmf_exp.wmf"></iframe​

    and file scan:

    http://www.rsjones.net/img/wmf.gif


    Will scan later to see if it's been picked up.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  3. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: New IE exploit

    I haven't gotten very far yet but when opening wmf_exp.wmf with IrfanView you then get a bumXXX.exe file and a HKLM Run string value is created named rscn with a data value of "C:\WINNT\system32\bumXXX.exe ymmud"

    (X is random number)

    This is yet another reason for users of IE to consider installing Eric Howe's IE-Spyad(unionseek.com in database) as another layer of protection if they must or choose to use IE.
     

    Attached Files:

    Last edited: Dec 27, 2005
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Re: New IE exploit

    Looking for this "unionseek com" in google links two pages, one empty and one not empty, with hidden iframes, but unrelated to the one listed on SecurityFocus. This second one crashes Firefox 1.5 if JavaScript is on (nothing happens if it's turned off). How serious that is I don't know, but I'll try to look. Doesn't seem a remote compromise, though (tested with Sandboxie, no strange files were left around).
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: New IE exploit

    Latest Jotti scan....the bum290.exe and bum464.exe files had same results.
    Ewido scan:

    C:\YB\Download_unscanned\bum128.exe -> Downloader.Small.cat : Ignored
    C:\YB\Download_unscanned\bum290.exe -> Downloader.Small.cat : Ignored
    C:\YB\Download_unscanned\bum464.exe -> Downloader.Small.cat : Ignored

    edited thread title for correctness
     
    Last edited: Dec 27, 2005
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Re: New IE exploit

    When you go on that page, the Windows fax application opens and C:\WINDOWS\system32\rundll32.exe automatically connects to unionseek.com (no prompt whatsoever, at least if you don't run another firewall different from the XP one... and BTW I wouldn't trust that the application couldn't possibly bypass the firewall some way... I tested in Sandboxie where it sure has more difficulties leaking). Then it writes and executes the aforementioned bumXXX.exe (XXX random number), written directly in WINDOWS\system32; this all without user interaction.

    These are the interesting files that were written before I terminated the processes and denied bumXXX.exe from connecting to the Internet:

    "~WRF0409.tmp" in virtual disk root (it would've been C), md5 sum: fe3b1e317846e0f398af27954dd09c93, a copy of the trojan downloader; maybe this would've been deleted at the end of the installation.

    "bum714.exe" the aforementioned trojan downloader, in WINDOWS\System32
    (hash fe3b1e317846e0f398af27954dd09c93)
     
  7. StevieO

    StevieO Guest

    Re: New IE exploit

    I clicked on the link and was prompted to DL the wmf_exp.wmf file, which i did. Nothing unusual happened during the DL, i got no alerts etc from anything. I have IE etc very well bolted down.

    I also scanned it at jottis about an hour ago. It came back clean saying it had been scanned before. Interesting that 4 only AV's have been very quick to pick up on it in that time.

    I analyized with a few Apps and got this.

    First one -

    File name: C:\WINDOWS\Desktop\wmf\wmf_exp.wmf
    File size: 15KB

    0000: 01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 ......R.....=...
    0010: 00 00 11 00 00 00 26 06 0F 00 18 00 FF FF FF FF ......&.........
    0020: FF 00 10 00 00 00 00 00 00 00 00 00 C0 03 85 00 ................
    0030: D0 02 00 00 09 00 00 00 26 06 0F 00 08 00 FF FF ........&.......
    0040: FF FF 02 00 00 00 17 00 00 00 26 06 0F 00 23 00 ..........&...#.
    0050: FF FF FF FF 04 00 1B 00 54 4E 50 50 14 00 20 00 ........TNPP.. .
    0060: B8 00 32 06 00 00 FF FF 4F 00 14 00 00 00 4D 00 ..2.....O.....M.
    0070: 69 00 00 00 0A 00 00 00 26 06 0F 00 0A 00 54 4E i.......&.....TN
    0080: 50 50 00 00 02 00 F4 03 09 00 00 00 26 06 0F 00 PP..........&...
    0090: 08 00 FF FF FF FF 03 00 00 00 0F 00 00 00 26 06 ..............&.
    00A0: 0F 00 14 00 54 4E 50 50 04 00 0C 00 01 00 00 00 ....TNPP........
    00B0: 01 00 00 00 00 00 00 00 05 00 00 00 0B 02 00 00 ................
    00C0: 00 00 05 00 00 00 0C 02 D0 02 C0 03 04 00 00 00 ................
    00D0: 04 01 0D 00 07 00 00 00 FC 02 00 00 00 00 66 00 ..............f.
    00E0: 00 00 04 00 00 00 2D 01 00 00 09 00 00 00 FA 02 ......-.........
    00F0: 05 00 00 00 00 00 FF FF FF 00 22 00 04 00 00 00 ..........".....

    Followed by the

    [/code]

    Second one -

    Size: 16036
    Version:
    CRC-32: 161F8F2B
    MD5: 3C4BE59A2536F2D67D93A78C72357F5F
    Read only: No
    Hidden: No
    System file: No
    Directory: No
    Archive: Yes
    Symbolic link: No
    Time stamp: Tuesday, December 27, 2005 9:08:56 PM
    Creation: Tuesday, December 27, 2005 9:08:56 PM
    Last access: Tuesday, December 27, 2005 12:00:00 AM
    Last write: Tuesday, December 27, 2005 9:08:56 PM

    Launching it in Xnview i get a big blue square picture. I saved it as a png file, size 4039.

    CRC-32: D2CA03FF

    MD5: 1CE3BAC338CF0D468E0436643FA0938F

    I've resized it to post.

    http://img526.imageshack.us/img526/8113/wmfexp26tg.png

    Nothing in C:\system32 or elsewhere, and no sign of any bumxxx.exe. I ran Process Explorer and everythings normal there too. No peep out of ZA or anything in the logs either.

    I'm running 98SE so maybe that's why nothings happened !

    Interesting exploit, and some fine observations on here.


    StevieO
     
  8. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Re: New IE exploit

    Yes, maybe. I run XP SP2 and I'm fully patched to down their latest security update :):)), but the exploit fully works. Anybody knows about Windows 2003? Yes, by the way I see they changed the title to "New Windows Vulnerability" and that seems more appropriate, though it is immediately exploitable without any download prompt in IE.
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: New IE exploit

    Just curious....if it prompted you to download a file does that mean you have iframe enabled :doubt:

    If a user has not practiced safe hex :cool: :p
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: New IE exploit

    IE crashes also, but I looked at the error message - maybe someone can interpret it.

    There were three pages cached. I copied the scripts from each - maybe someone can interpret the last one.


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  11. StevieO

    StevieO Guest

    Hi TNT and Bubba,

    I have iframe set to Prompt me ! You think maybe that's why i got the chance to Allow/Deny the DL ?


    StevieO
     
  12. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Re: New IE exploit

    :D

    Well, it does work in an up-to-date Windows XP SP2 configuration with the latest patches.
     
  13. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: New IE exploit

    Perhaps the user then needs to do it's part and properly secure the programs :eek:
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  15. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Re: New IE exploit

    Did test it with only Defensewall (computer formatted lately), IE and WMplayer running untrusted, and nothing happened :D

    nicM
     
  16. StevieO

    StevieO Guest

  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  18. fsecureblog

    fsecureblog Guest

    Best explaination here

    http://www.f-secure.com/weblog/#00000752

     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    So far, no other vendors have detected the .wmf file.

    I added a second page to my test to show the running of this file:


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  20. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Re: New IE exploit

    http://sunbeltblog.blogspot.com/2005/12/responsible-disclosure.html

    This is clearly it, and it's another exploit for IE (different from the one with the wmf vulnerability). Not sure this actually works now, haven't tried it.
     
  21. StevieO

    StevieO Guest

    Hi Rmus,

    I always enjoy your research, complete with images, which does help Greatly in following the events. I wish more people would do that !

    I thought the bad grammer was amusing in the warning image " could broke your life " maybe someones PC anyway !

    I keep meaning to ask you about the Beware of dog alert box i see often on your posts. What App is that ?

    fsecureblog

    Nice link, and interesting to note that FF can also be vulnerable too !


    Here's a bit more info

    http://redxii.blogspot.com/2005/12/vulnerabilities-in-graphics-rendering.html


    StevieO
     
  22. DA232

    DA232 Guest

    The main exploit appears to be a problem with handling wmf files. As the links say. If you open the wmf file with the right app, it starts the whole sequence of events.

    http://secunia.com/advisories/18255/

    The secondary trick is the iframes trick , IE that gets you to download and open wmf files with windows fax and image *without* any prompts. Is this a new exploit, old exploit, or something expected in IE?

    As the blog says, Firefox 1.5 users seem to be safe, because firstly they are prompted, and secondly even if they accept, wmf are (wrongly) opened by default with windows media player which does not play the file.
     
  23. OperaUser1

    OperaUser1 Guest

    Hi guys...

    Can't even get to the page unionseek.com/d/t1/wmf_exp.htm :rolleyes:
    Opera displays a blank page and refuses to go.

    Is this exploit browser dependent? o_O
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas
    The site is no longer up.

    Sans
     
  25. gfdgd

    gfdgd Guest

    Re: New IE exploit

    You mean WMplayer opened the the wmf file? Nothing should happen then, even without DF.
     
Loading...
Thread Status:
Not open for further replies.