New Windows Vulnerability

Discussion in 'other security issues & news' started by TNT, Dec 27, 2005.

Thread Status:
Not open for further replies.
  1. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Ronjor, thanks for the link.

    Secunia write:

    "The risks can be mitigated by unregistering "Shimgvw.dll". However, this will disable certain functionalities. Secunia do not recommend the use of this workaround on production systems until it has been thoroughly tested."

    When i read this, you have 2 options:

    1) a secure environment
    2) productivity isn't affected, but you are working in an insecure environment

    Easy choice?
    Or not an easy one?
     
  2. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    432
    That's for sure! A side effect I noticed:

    https://www.wilderssecurity.com/showthread.php?t=113293
     
  3. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Most of them are catching up
     

    Attached Files:

  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    My mother told me that 2 days ago there were some strange things happening on her computer, and what she described sounded like it was the WMF file attack, but there doesn´t seem to be an infection at all, I think ZoneAlarm or the "deny loading programs/file in iframes" setting, stopped the attack. :rolleyes:

    I asked her if she saved WMF files but she said no, the only thing that she does is saving images via the contextmenu in IE, and then she previews them in explorer.exe, could that also have triggered the attack? And what the heck does a WMF file look like, is it the same like a gif or jpeg pic?

    At the moment I have applied the following workaround, this won´t break the explorer image preview function, but I´ve also read that filetypes with other extensions like GIF, JPEG, PNG can also be used to trigger the exploit, so I wonder if this is enough:

    http://www.eweek.com/article2/0,1759,1906211,00.asp?kc=EWRSS03129TX1K0000614
     
  5. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Exfol/WebExt using WMF exploit on rotational popups


    This is bad.

    Exfol/WebExt is a piece of adware that is often offered through popups at various sites.
    We saw a post from Tom Fischcer off of the spyware-research mailing list that Exfol was using the exploit. Knowing Exfol’s behavior, we then checked one site that they typical have popups on, wallpapers4u(dot)com.

    Ok, here is why this is bad. You don’t have to go to a crack site or a porn site. You got to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited.


    Full article here
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That's not hard to do :eek:
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    :D :D
     
  10. StevieO

    StevieO Guest

    Devinco

    In answer to your question about recognising the file types by the headers, here's some examples i've put together for you by dragging and dropping the file/s into MiniDumpers window.

    I've only shown the first lines for clarity -

    These are EXE's -

    File name: C:\WINDOWS\Desktop\minidumper.exe
    File size: 20KB

    0000: 4D 5A 0A 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZ..............

    -

    File name: C:\Program Files\SpywareBlaster\spywareblaster.exe
    File size: 988KB

    0000: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............

    -

    This a JPEG image -

    File name: C:\WINDOWS\Desktop\Test.jpg
    File size: 52KB

    0000: FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 ......JFIF.....H

    -

    This a GIF image -

    File name: C:\WINDOWS\Desktop\Test.gif
    File size: 223 Bytes

    0000: 47 49 46 38 39 61 0F 00 0F 00 F4 00 00 C4 C2 C4 GIF89a..........

    -

    This a PNG image -

    File name: C:\WINDOWS\Desktop\Xmas\Test.png
    File size: 325KB

    0000: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 .PNG........IHDR

    -

    This a ZIP -

    File name: C:\WINDOWS\Desktop\Test.zip
    File size: 472KB

    0000: 50 4B 03 04 14 00 00 00 08 00 0D B5 91 33 66 DC PK...........3f.

    -

    This a DLL -

    File name: C:\WINDOWS\Desktop\winsock.dll
    File size: 21KB

    0000: 4D 5A 19 00 04 00 00 00 04 00 00 00 FF FF 00 00 MZ..............

    -

    This a PDF -

    File name: C:\WINDOWS\Desktop\Test.pdf
    File size: 107KB

    0000: 25 50 44 46 2D 31 2E 32 20 0D 25 E2 E3 CF D3 0D %PDF-1.2 .%.....

    -

    Hope that helps

    . . .

    I went to wallpapers4u(dot)com and nothing happened ! http://img513.imageshack.us/img513/8573/smile6ju.gif


    StevieO
     
  11. NIST.org

    NIST.org Registered Member

    Joined:
    Dec 29, 2005
    Posts:
    11
    John Herron at NIST.org is reporting that all recent versions of Lotus Notes is vulnerable to the MS WMF zero-day exploit. The WMF file can be renamed to a JPG extension and Lotus Notes will still be vulnerable. Lotus Notes uses the same graphics rendering engine (shimgvw.dll) used by Internet Explorer in the current exploit. Click here to see the full analysis article.
     
    Last edited: Dec 29, 2005
  12. Kye-U

    Kye-U Security Expert

    Joined:
    Jun 11, 2004
    Posts:
    481
    The first line of infected WMF files is:

    00000000h: 01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 ; ......R.....=...
     
  13. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,778
    Nice work guys.

    I read about this yesterday here on Wilders and actually passed on the info to my boss. Who thought it was the old wmf exploit. :rolleyes:

    He even researched it (so he said) and told me so. After some research and testing myself, I showed him he was wrong. Me needs a new job. Anyone hiring? :D

    Cheers to all of you for these great posts. :cool:
     
  14. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    With reference to the above quote, the article below, the 'Magic of magic byte' is worth a look. It illustrates the potential danger of not looking past the first indicators when using this method to define files :-

    http://www.securityelf.org/magicbyte.html


    http://www.my-smileys.de/smileys2/8_2_78.gif
     
    Last edited: Dec 30, 2005
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Did you use IE? It took a minute or so for the action to begin :)
     
  16. StevieO

    StevieO Guest

    eyes-open

    Yes good point ! I looked at that site in March this year when it was mentioned here

    Bypass of 22 Antivirus software with GDI+ bug...

    http://www.dslreports.com/forum/remark,12840825~days=9999

    Other good info at www.securityelf.org too

    http://www.securityelf.org/whitepapers.html


    Rmus had a nice thread here a few weeks ago

    Do You Trust Known File Extensions?

    https://www.wilderssecurity.com/showthread.php?t=109689


    This is the test that Andrey did last year for an "Undetectable" JPEG.

    Bypass of Antivirus software with GDI+ bug exploit Mutations.

    http://www.securityelf.org/jpeg.html


    The AV vendors of course now pick up on it, as did mine when i tried to save it to my desktop. I disabled my AV to continue testing.

    This is what MiniDump shows -

    File name: C:\WINDOWS\Desktop\bulzano2.jpg
    File size: 71KB

    0000: FF D8 FF E0 00 10 4A 46 49 46 00 01 02 01 00 4B ......JFIF.....K
    0010: 00 4B 00 00 FF ED 19 1C 50 68 6F 74 6F 73 68 6F .K......Photosho
    0020: 70 20 33 2E 30 00 38 42 49 4D 03 E9 00 00 00 00 p 3.0.8BIM......
    0030: 00 78 00 07 00 00 00 48 00 48 00 00 00 00 02 DB .x.....H.H......
    0040: 02 40 FF E7 FF EE 02 FF 02 52 1F 03 05 28 03 FC .@.......R...(..
    0050: 00 01 00 00 01 2C 01 2C 00 00 00 00 06 AE 05 A0 .....,.,........
    0060: 01 2C 00 2D 05 A0 5E EC 00 26 02 01 01 01 00 18 .,.-..^..&......
    0070: 00 01 27 0F 00 01 00 01 00 00 00 00 00 00 00 00 ..'.............
    0080: 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................
    0090: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 ................
    00A0: 00 00 04 02 04 05 00 00 00 00 38 42 49 4D 03 ED ..........8BIM..
    00B0: 00 00 00 00 00 10 00 4B 00 00 00 01 00 01 00 4B .......K.......K
    00C0: 00 00 00 01 00 01 38 42 49 4D 03 F3 00 00 00 00 ......8BIM......
    00D0: 00 08 00 00 00 00 00 00 00 00 38 42 49 4D 04 0A ..........8BIM..
    00E0: 00 00 00 00 00 01 00 00 38 42 49 4D 27 10 00 00 ........8BIM'...
    00F0: 00 00 00 0A 00 01 00 00 00 00 00 00 00 02 38 42 ..............8B

    I also tested it with the JPEGScan from www.diamondcs.com.au/jpegscan that i've used before and that Andrey mentions, just out of curiosity, even though i know it's a different vulnerability, and it didn't pick up on it.

    So it appears that reading the headers is a good idea, but not the whole story as it may not always display other things that could be revealing !

    Rmus

    Yes i am using IE, and i was surprised that nothing happened immediately on wallpapers4u(dot)com as it did when i went to unionseek.com the other day ! I spent about 5 minutes or so trying out the different links to no avail ? The pretty pictures had nothing to do with the " exposure time ", honest lol. I've just tried again and still nothing !

    It's possible that because i'm on 98SE with both it and IE Tightly bolted down, that i am able to escape all these kind of exploits that i keep attempting ? Makes me feel " Cautiously " confident anyway.

    StevieO
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    That must be it, so loosen some of those bolts so that you can enjoy these exploits :)

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~
     
  18. devilish

    devilish Guest

    Correct me if i'm wrong but it looks to me you didn't block the WMF exploit per se from working, rather the stuff it downloaded and tried to install couldn't do any damagae except for putting stuff on your desktop.

    To the end user it doesn't make any difference i suppose, but your test is actually showing that the stuff the exploit tried to install couldn't do much damage, not that you actually stopped the exploit from working in the first place.
     
  19. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, you are right.
     
  20. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    StevieO,

    Thank you for the excellent information and the file header examples!! :)
    Always wanted to learn about magic bytes.



    eyes-open,

    Thanks for the link to Wayne's informative article.
    Who would have guessed Wayne was also the author of security articles?
     
  21. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    @ StevieO & Devinco

    As the subject of magic bytes/file signatures has already come up in this thread. It doesn't seem too OT to add a little more.

    To be clear I don't say magic bytes have no value, just that there is a need to double check and not take on face value. In fact as a beginner, I think they're a neat way of dipping your toes into reading Hex as a practical exercise.

    Kye-U has cleverly used the hex form of file signatures as a way of filtering out .WMF files with Proxomitron:-

    https://www.wilderssecurity.com/showpost.php?p=643186&postcount=16

    That being clarified and as there is some interest I came across this more exhaustive and fairly recent list of file signatures.

    http://www.garykessler.net/library/file_sigs.html

    Regards

    eyes-open
     
    Last edited: Dec 30, 2005
  22. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you eyes-open! That is a good comprehensive list.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    There are some things that I don´t understand about the WMF exploit:

    1 IE can´t display wmf files right? So it will ask you if you want to save or open the file, in my case with XnView. If you open it, there is no problem if XnView is not using the vulnerable dll file and it´s not as far as I know. If you save the file you can get affected if you preview it in explorer.

    2 But if the exploit is triggered, a good firewall/IPS should be able to stop this right?

    3 I´ve read that renamed gif, jpegs can also be risks, but you need to rename them first right? And I don´t see why you would want to do this.

    4 About the magic byte issue, can´t this be shutdown with the following IE security setting set to disabled? :

    "Open files based on content, not file extension"

    Feedback will be appreciated. :)
     
  24. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Wow guys, do a google search for 'unionseek' and you get tons of websites flooded with big news about this exploit.
    A possible safer way to test this would be to test this exploit in a VIRTUAL ENVIRONMENT/VIRTUAL MACHINE. Then you won't let the real physical operating system get infected hands-down. Testing this in a NON-virtual environment with tight security measures and lockdowns may be ok. Quite adventurous.
     
  25. devily

    devily Guest

    Thank you for the warning Nadirah.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.