New Windows Vulnerability

Just because we were missing them so much...

http://www.securityfocus.com/bid/16074

http://www.securityfocus.com/archive/1/420288/30/0/threaded

PS: do NOT follow the link on unionseek.com in the second message if you don't know what you're doing. And don't think you're safe if you're not using IE as administrator, either.

 

Re: New IE exploit

Has anyone been able test? Or know what the virus is?

It won't run on Win2k (.wmf extension is not listed) and I'm not set up to test on my XP laptop.

Here is the code that launches the file. I was prompted for download using both IE and Opera:

<iframe src="wmf_exp.wmf"></iframe​

and file scan:

http://www.rsjones.net/img/wmf.gif


Will scan later to see if it's been picked up.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Re: New IE exploit

I haven't gotten very far yet but when opening wmf_exp.wmf with IrfanView you then get a bumXXX.exe file and a HKLM Run string value is created named rscn with a data value of "C:\WINNT\system32\bumXXX.exe ymmud"

(X is random number)

This is yet another reason for users of IE to consider installing Eric Howe's IE-Spyad(unionseek.com in database) as another layer of protection if they must or choose to use IE.

 

Re: New IE exploit

Looking for this "unionseek com" in google links two pages, one empty and one not empty, with hidden iframes, but unrelated to the one listed on SecurityFocus. This second one crashes Firefox 1.5 if JavaScript is on (nothing happens if it's turned off). How serious that is I don't know, but I'll try to look. Doesn't seem a remote compromise, though (tested with Sandboxie, no strange files were left around).

 

Re: New IE exploit

Latest Jotti scan....the bum290.exe and bum464.exe files had same results.

Ewido scan:

C:\YB\Download_unscanned\bum128.exe -> Downloader.Small.cat : Ignored
C:\YB\Download_unscanned\bum290.exe -> Downloader.Small.cat : Ignored
C:\YB\Download_unscanned\bum464.exe -> Downloader.Small.cat : Ignored

edited thread title for correctness

 

Re: New IE exploit

When you go on that page, the Windows fax application opens and C:\WINDOWS\system32\rundll32.exe automatically connects to unionseek.com (no prompt whatsoever, at least if you don't run another firewall different from the XP one... and BTW I wouldn't trust that the application couldn't possibly bypass the firewall some way... I tested in Sandboxie where it sure has more difficulties leaking). Then it writes and executes the aforementioned bumXXX.exe (XXX random number), written directly in WINDOWS\system32; this all without user interaction.

These are the interesting files that were written before I terminated the processes and denied bumXXX.exe from connecting to the Internet:

"~WRF0409.tmp" in virtual disk root (it would've been C), md5 sum: fe3b1e317846e0f398af27954dd09c93, a copy of the trojan downloader; maybe this would've been deleted at the end of the installation.

"bum714.exe" the aforementioned trojan downloader, in WINDOWS\System32
(hash fe3b1e317846e0f398af27954dd09c93)

 

Re: New IE exploit

I clicked on the link and was prompted to DL the wmf_exp.wmf file, which i did. Nothing unusual happened during the DL, i got no alerts etc from anything. I have IE etc very well bolted down.

I also scanned it at jottis about an hour ago. It came back clean saying it had been scanned before. Interesting that 4 only AV's have been very quick to pick up on it in that time.

I analyized with a few Apps and got this.

First one -

File name: C:\WINDOWS\Desktop\wmf\wmf_exp.wmf
File size: 15KB

0000: 01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 ......R.....=...
0010: 00 00 11 00 00 00 26 06 0F 00 18 00 FF FF FF FF ......&.........
0020: FF 00 10 00 00 00 00 00 00 00 00 00 C0 03 85 00 ................
0030: D0 02 00 00 09 00 00 00 26 06 0F 00 08 00 FF FF ........&.......
0040: FF FF 02 00 00 00 17 00 00 00 26 06 0F 00 23 00 ..........&...#.
0050: FF FF FF FF 04 00 1B 00 54 4E 50 50 14 00 20 00 ........TNPP.. .
0060: B8 00 32 06 00 00 FF FF 4F 00 14 00 00 00 4D 00 ..2.....O.....M.
0070: 69 00 00 00 0A 00 00 00 26 06 0F 00 0A 00 54 4E i.......&.....TN
0080: 50 50 00 00 02 00 F4 03 09 00 00 00 26 06 0F 00 PP..........&...
0090: 08 00 FF FF FF FF 03 00 00 00 0F 00 00 00 26 06 ..............&.
00A0: 0F 00 14 00 54 4E 50 50 04 00 0C 00 01 00 00 00 ....TNPP........
00B0: 01 00 00 00 00 00 00 00 05 00 00 00 0B 02 00 00 ................
00C0: 00 00 05 00 00 00 0C 02 D0 02 C0 03 04 00 00 00 ................
00D0: 04 01 0D 00 07 00 00 00 FC 02 00 00 00 00 66 00 ..............f.
00E0: 00 00 04 00 00 00 2D 01 00 00 09 00 00 00 FA 02 ......-.........
00F0: 05 00 00 00 00 00 FF FF FF 00 22 00 04 00 00 00 ..........".....

Followed by the

[/code]

Second one -

Size: 16036
Version:
CRC-32: 161F8F2B
MD5: 3C4BE59A2536F2D67D93A78C72357F5F
Read only: No
Hidden: No
System file: No
Directory: No
Archive: Yes
Symbolic link: No
Time stamp: Tuesday, December 27, 2005 9:08:56 PM
Creation: Tuesday, December 27, 2005 9:08:56 PM
Last access: Tuesday, December 27, 2005 12:00:00 AM
Last write: Tuesday, December 27, 2005 9:08:56 PM

Launching it in Xnview i get a big blue square picture. I saved it as a png file, size 4039.

CRC-32: D2CA03FF

MD5: 1CE3BAC338CF0D468E0436643FA0938F

I've resized it to post.

http://img526.imageshack.us/img526/8113/wmfexp26tg.png

Nothing in C:\system32 or elsewhere, and no sign of any bumxxx.exe. I ran Process Explorer and everythings normal there too. No peep out of ZA or anything in the logs either.

I'm running 98SE so maybe that's why nothings happened !

Interesting exploit, and some fine observations on here.


StevieO

 

Re: New IE exploit

Yes, maybe. I run XP SP2 and I'm fully patched to down their latest security update ), but the exploit fully works. Anybody knows about Windows 2003? Yes, by the way I see they changed the title to "New Windows Vulnerability" and that seems more appropriate, though it is immediately exploitable without any download prompt in IE.

 

Re: New IE exploit

Just curious....if it prompted you to download a file does that mean you have iframe enabled

If a user has not practiced safe hex

 

Re: New IE exploit

IE crashes also, but I looked at the error message - maybe someone can interpret it.

There were three pages cached. I copied the scripts from each - maybe someone can interpret the last one.

unionseek test​

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Hi TNT and Bubba,

I have iframe set to Prompt me ! You think maybe that's why i got the chance to Allow/Deny the DL ?


StevieO

 

Re: New IE exploit

Well, it does work in an up-to-date Windows XP SP2 configuration with the latest patches.

 

Re: New IE exploit

Perhaps the user then needs to do it's part and properly secure the programs

 

See here for another analysis:

http://isc.sans.org/diary.php?storyid=972

-rich

 

Re: New IE exploit

Did test it with only Defensewall (computer formatted lately), IE and WMplayer running untrusted, and nothing happened

nicM

 

I just scanned it again at jottis to see how many other AV's had picked up on it since last time. What do you make of this ?

http://img452.imageshack.us/img452/2590/wmfj14qg.png


StevieO

 

Well, I got curious, so I set up my old laptop to test.

This is an easy exploit to block.

Windows WMF 0-day exploit - Blocked​

 

Best explaination here

http://www.f-secure.com/weblog/#00000752

 

So far, no other vendors have detected the .wmf file.

I added a second page to my test to show the running of this file:

WMF exploit test​

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Re: New IE exploit

http://sunbeltblog.blogspot.com/2005/12/responsible-disclosure.html

This is clearly it, and it's another exploit for IE (different from the one with the wmf vulnerability). Not sure this actually works now, haven't tried it.

 

Hi Rmus,

I always enjoy your research, complete with images, which does help Greatly in following the events. I wish more people would do that !

I thought the bad grammer was amusing in the warning image " could broke your life " maybe someones PC anyway !

I keep meaning to ask you about the Beware of dog alert box i see often on your posts. What App is that ?

fsecureblog

Nice link, and interesting to note that FF can also be vulnerable too !


Here's a bit more info

http://redxii.blogspot.com/2005/12/vulnerabilities-in-graphics-rendering.html


StevieO

 

The main exploit appears to be a problem with handling wmf files. As the links say. If you open the wmf file with the right app, it starts the whole sequence of events.

http://secunia.com/advisories/18255/

The secondary trick is the iframes trick , IE that gets you to download and open wmf files with windows fax and image *without* any prompts. Is this a new exploit, old exploit, or something expected in IE?

As the blog says, Firefox 1.5 users seem to be safe, because firstly they are prompted, and secondly even if they accept, wmf are (wrongly) opened by default with windows media player which does not play the file.

 

Hi guys...

Can't even get to the page unionseek.com/d/t1/wmf_exp.htm
Opera displays a blank page and refuses to go.

Is this exploit browser dependent?

 

Re: New IE exploit

You mean WMplayer opened the the wmf file? Nothing should happen then, even without DF.