New Windows Vulnerability

OK, just dl'd the Patch, installed, rebooted and all working fine here.

lol, I see a test file at DSL reports to test your system but I cannot even download the test file, as KAV alerts each time from various sites, so with the Patch and KAV, guess I am secured at best as can be for the time being.

TAS

 

Hi securityx,

Why both? I tested one of the real .wmf exploits against WMF Patch 1.3 and saw nothing unusual in both a disk state comparison and a registry comparison afterwards. The patch works and I don't see any reason to lose functionality when it's not necessary.

Nick

 

Here are some details if you have hardware based DEP:

http://castlecops.com/a6441-Microsoft_DEP_KB912923_and_WMF_Exploit.html

As to a checker this is recommended from the author of patch:

http://castlecops.com/a6438-Hot_off_the_press_WMF_Vulnerability_Checker.html

 

This is from SANS and The Internet Storm Center. I would normally just link to the page, but this is extremely important and I am certain that the repost is okay.
Courtesy of SANS and The Internet Storm Center
http://isc.sans.org/diary.php?storyid=994
This same FAQ is available in several other languages here:
http://isc.sans.org/diary.php?storyid=1005

Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have to click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.

Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

What can I do to protect myself?
Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
You can unregister the related DLL.
Virus checkers provide some protection.
To unregister the DLL:

Click Start, click Run, type "regsvr32 -u %windir%system32shimgvw.dll" (without the quotation marks... our editor keeps swallowing the backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll), and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.

How does the unofficial patch work?
The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

Will unregistering the DLL (without using the unofficial patch) protect me?
It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll.

Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably replace it. You'll need to turn off Windows File Protection first. Also, once an official patch is available you'll need to replace the DLL. (renaming, rather than deleting is probably better so it will still be handy).

Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.

How good are Anti Virus products to prevent the exploit?
At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.

How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.

Is it sufficient to tell my users not to visit untrusted web sites?
No. It helps, but its likely not sufficient. We had at least one widely trusted web site (knoppix-std.org) which was compromised. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. "Tursted" sites have been used like this in the past.

What is the actual problem with WMF images here?
WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code.

Should I use something like "dropmyrights" to lower the impact of an exploit.
By all means yes. Also, do not run as an administrator level users for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'.

Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these images indexed? Do you sometimes use a web browser on the server? In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable.

What can I do at my perimeter / firewall to protect my network?
Not much. A proxy server that strips all images from web sites? Probably wont go over well with your users. At least block .WMF images (see above about extensions...). If your proxy has some kind of virus checker, it may catch it. Same for mail servers. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected.

Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for details. Bleedingsnort.org is providing some continuosly improving signatures for snort users.

If I get hit by the exploit, what can I do?
Not much :-(. It very much depends on the exact exploit you are hit with. Most of them will download additional components. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY).

Does Microsoft have information available?
http://www.microsoft.com/technet/security/advisory/912840.mspx
But there is no patch at the time of this writing.


What does CERT have to say?
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560

 

Nick, This is addressed in the FAQ above, but the reason is that this is an easily mutated exploit. The patch will protect against known, but by no means the only, ways this whole thing can be used to wreck havoc. The safe choice is to unregister the shimgvw.dll. It is an extra layer of protection until all known means of exploitation are patched by the programmers at Microsoft. And we still wait.

 

What will execute a .wmf file on Win2K? That extension does not exist on Win2K.

 

Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

Rmus: A couple of posts up that faq says that the extension is not needed.

 

I understood that to mean that the extension can be spoofed as an 'innocent' image such as .jpg - however the file signature is such that Windows will still define the file as a metafile and as such seek to launch the Image & Fax viewer, exposing the vulnerable driver to the exploit code ?

If a system doesn't use .wmf files & therefore no programmed response - it shouldn't be vulnerable ?

Is that correct ?

 

WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.
More info here:

http://isc.sans.org/

Gerard

 

Major Revision In Vulnerable System List

"here's the important point: On any version of Windows you need a program that can load and interpret WMF files in order to be exploited. On Windows XP and Server 2003 this is installed by default and made the default handler for WMF files, and Paint is updated to handle WMFs as well. But on earlier versions of Windows there is no such program installed by default. You would need a third-party program in order to be vulnerable, such as Lotus Notes."

Article

Using Win2K SP4 and the default MSPaint:

http://www.rsjones.net/img/paint_1.gif

http://www.rsjones.net/img/paint_2.gif
____________________________________________________

wmf - jpg test file from http://multitudious.com/test.html

http://www.rsjones.net/img/jpg-paint2.gif

http://www.rsjones.net/img/jpg-photoshop.gif
_________________________________________________________


On Win2K .wmf is an unknown (no association) file type. I have all unknown defined to Wordpad:

http://www.rsjones.net/img/wmf-wordpad.gif

People with Win98 were worried that MS would not have a patch, but it looks like that Win98 is not vulnerable unless a 3rd party viewer is installed.



________________
~~Be ALERT!!! ~~

 

So, is there any tool that can block access to a file (like an anti-virus) based on its header?

X.

 

Found this in my mail:

Users of a-squared Personal with the enabled background guard are protected from Malware which uses the WMF flaw to enter your system. The integrated Malware-IDS blocks harmful code immediately and stops infections of your computer.

Anyone tested this?

Gerard

 

We setup a forum for Ilfak (he hosts) concerning hexblog and his tools:

http://castlecops.com/f212-Hexblog.html

 

For users who don't care too much about viewing WMF files, maybe someone can write an IE plugin that actually filters out WMF files (based on the file header) can help alleviate this problem (at least for online internet browsing).

 

Concerning WMF Patch Castlecops say :

Steve Gibson says:

It seems more logical to uninstall before updating Windows. Right....?

 

Ok, I thought so, of course http://img412.imageshack.us/img412/3811/a0459cy.gif

 

Hexblog.com is down, so I have set up a mirror:

http://kyeu.info/ilfak/

 

Does anyone trust this? ~removed link and quoted text~

Edit - links to illegal patches/programs will be removed. - snapdragin

 

Hi,
Will you update your mirror if the hotfix upgrades again? I would like to put this link to my forum as a sticky.

 

WinBeta.org

Hrmmm, I wouldn't trust it, but I've downloaded it just for archival purposes

 

I've actually made an FTP Account for the Author to use.

That's just a very quickly done page to offer the file immediately.

If the author decides not to use it, I will keep it updated.

 

A member of my forum has allowed me to upload a video he created while experimenting with the exploit to determine countermeasures. You can find it here:

http://www.antisource.com/forums/viewtopic.php?t=128

 

Version 1.14 of source code out. It randomizes almost everything now.

Room for 1740 bytes of payload.

Can anyone help explain to me ALL the mathematical functions below? (Like rand(0xffff)) I need to rewrite my Proxomitron filter for sure.

Code:

		#
		# WindowsMetaHeader
		#
		pack('vvvVvVv',
				# WORD  FileType;       /* Type of metafile (1=memory, 2=disk) */
				int(rand(2))+1,
				# WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
				9,
				# WORD  Version;        /* Version of Microsoft Windows used */
				(int(rand(2)) == 1 ? 0x0100 : 0x0300),
				# DWORD FileSize;       /* Total size of the metafile in WORDs */
				$clen/2,
				# WORD  NumOfObjects;   /* Number of objects in the file */
				rand(0xffff),
				# DWORD MaxRecordSize;  /* The size of largest record in WORDs */
				rand(0xffffffff),
				# WORD  NumOfParams;    /* Not Used (always 0) */
				rand(0xffff),
		).
		#
		# Filler data
		#
		$pre_buff.
		#
		# StandardMetaRecord - Escape()
		#
		pack('Vvv',
			# DWORD Size;          /* Total size of the record in WORDs */
			4,
			# WORD  Function;      /* Function number (defined in WINDOWS.H) */
			int(rand(256) << 8) + 0x26,
			# WORD  Parameters[];  /* Parameter values passed to function */
			9,
		). $shellcode