Domain: hexblog.com
Stories and comments across the archive that link to hexblog.com.
Comments · 20
-
Re:Good book
This is not the first book about IDA Pro. However, this is the first book I recommend to anyone using IDA Pro because of the following points: * Comprehensive: it describes all major IDA features by starting at the beginning and going all the way to the end. Experienced users may be tempted to skip the first few chapters; resist this temptation and you will discover something new (I did
:) * Accurate: it is very difficult to be detailed and precise when describing such a complex product. Chris does it excellently well. * Real: handles real world malware, packers, and obfuscated code * No fillers: it is direct and concise * Profound: this is not just a collection of recipes or tricks, but will give you a better understanding of the IDA architecture, thus saving you from unnecessary frustration. Knowing the limitations of your tool is just as important as knowing its capabilities. It comes tons of code snippets, scripts, and sample modules. Programming for IDA Pro is covered too: from simple plugins to processor modules. http://hexblog.com/2008/08/the_ida_pro_book_1.html ----This is not my blog. -
Re:Where's the NTFS writer then?
>Have you ever SEEN decompiled code?
Yes.
>It is assembly language, for one thing.
That would make it disassembled code, decompiled typically implies a higher level abstraction/language.
-
Re:Length==1
For me, that length==1 trigger is the most convincing evidence.
It might have been convincing if it were true. The vulnerability checker from Ilfak Guilfanov's site uses length==17 to trigger the exploit (Look in the wmfhdr.wmf file in the source zip. The length is a little-endian DWORD at offset 0x12.)
The Metasploit module uses a length of 4. Check out the following snippet:
#
# StandardMetaRecord - Escape()
#
pack('Vvv',
# DWORD Size; /* Total size of the record in WORDs */
4,
# WORD Function; /* Function number (defined in WINDOWS.H) */
int(rand(256) << 8) + 0x26,
# WORD Parameters[]; /* Parameter values passed to function */
9,
). $shellcode .
I think Steve Gibson is confused. -
Re:KnockKnockFrom what I've read, he only has the executable up for download at the following location in the Security Now! show notes page: http://www.grc.com/sn/notes-022.htm
I don't recall if he mentioned that he was making the actual code available but since it follows the basic idea behind Ilfak's vulnerability test http://www.hexblog.com/index.html. You could probably dig up more information from that point.
-
Too little too late?That vulnerability was serious enough to cause Microsoft to take the unusual step of releasing an early patch for the problem, ahead of its monthly security software update.
But still released many days after independent programmers (e.g. Ilfak Guilfanov) managed to build a fix. At work (a national lab), we were explicitly instructed not to wait for the early windows patch.
-
Legacy apps will breakLike antdude said above, the real problem with this is that the exploit affects something which is actually a feature of WMF files. A feature which is used by certain apps.
I have witnessed first hand how Guilfanov's unofficial patch will break some legaccy apps. The one in question was a 16-bit app (based on Access 2.0). After applying the patch, it was impossible to print some forms (we received an error). Sure, we uninstalled the patch and printing was OK again.
So therefore the interesting thing about the upcoming Microsoft patch is, how are they going to patch the hole without breaking the legitimate uses of the affected gdi functions???
-
Re:avast
Here's a tool that allows you to check whether you're (still) vulnerable or not.
-
Re:Trusted Computing? I think not!
The source code is now online, too.
-
Re:Win98 patch?
I ran the test util on my Win98 box (http://www.hexblog.com/security/files/wmf_checke
r _hexblog.exe small download)
It said -- Not Vulnerable.
The referring page (which I can't find again offhand but is one of the links from GRC) said not to take it as gospel, since it only tests for one of several possible entry points, but it's better than nothing. -
Steve Gibson didn't write it, he just commented...
The fix is from Ilfak Guilfanov.
To quote F-Secure (http://www.f-secure.com/weblog/archives/archive-1 22005.html#00000756):
"Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.
More details from Ilfak's blog: http://www.hexblog.com./"
The guy is legit. -
Re:Pushing the patch via Zenworks/SMS/Tivoli???
The fix can be applied in the automatic mode using the following command line:
wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES
These switches do not suppress dialog boxes about installation errors.
The /LOG="file" switch can be added to the command line to create a log file.
[from http://www.hexblog.com/2005/12/wmf_vuln.html ]
There's a MSI version in the works as well. -
Re:Trusted Computing? I think not!
I wouldn't call what they are offering as trusted computing. They are not the manufacturers of the OS, so whatever they are offering is NOT trusted computing.
"Trustworthy" was here used only as a saying. As in "Please, trust us". Please read the ISC diary entry.
Since it's a typical binary patch you have to trust them that this patch won't hose your system or make you pwned by these or other folks.
The patch is distributed by Ilfak Guilfanov, who develops the IDA Pro Disassembler and Debugger. The WMF fix installation package includes source code for the DLL it installs.
Look, when I want to upgrade my box, I just do a apt-get update; followed by either apt-get dist-upgrade or use synaptic. I know my sources (I select them myself), I know that the reality checks exist (gpg keys, outside sources verifying the software, etc.). I know I'm not getting hosed when I install software from my usual Debian repositories.
Sure, you use apt-update when your os vendor has relased a fix. But what do you do when no official fix is yet unavailable, as the situation is now for Windows users?
-
Sourcecode IS available
Here.
-
Re:How do I avoid it? Fixes?
I have posted fixes that have been reviewed by SANS (The Intenet Storm Center) at www.HelpProtectMyComputer.com\WMFflaw.html.
I did not develop the fix, Ilfak Guilfanov did, and I found it on Steve Gibson's site.
Please forward the information to as many people as possible to protect their computers and to limit the damage. Thanks. Steve (Smokeydog) -
Do. This. Now.
Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html
All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world. -
Re:How do I avoid it? Fixes?
That's about as helpful as advising tsunami victims that they move.
For those who want actual advice: http://www.hexblog.com/ -- a fix which creates a hook to disable the affected code. The fix has been analyzed by Steve Gibson. -
Re:How do I avoid it? Fixes?
There seems to be a first fix.
There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html
The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm -
Most importantly: THERE IS A FIX
It's unofficial, but it works.
http://www.hexblog.com/2005/12/wmf_vuln.html -
Announcement of third pary patch
Caveat emptor
... I have not tried this - Windows WMF Metafile Vulnerability HotFix. -
I developed a fix for it
After some hours looking at WMF file format I developed a fix for it:
http://www.hexblog.com/
My fix works for Windows XP systems. I have tested it on my machines.