Slashdot Mirror
Exploit Released for Unpatched Windows Flaw
woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures.
From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""
Unregister the dll that provides WMF viewing. Click Start, Run, and enter this:
/U SHIMGVW.DLL
REGSVR32
Sunbelt has more detail here.
The important line filtered from the article, the fix:
/u shimgvw.dll"
"regsvr32
Thank you.
Windows is like decaf - it tastes like the real thing, but it won't get you through the day.
Here is the fix, from the linked article in case you DNRTFA:
/u shimgvw.dll" to disable.
----
According to iDefense, Windows users can disable the rendering of WMF files using the following hack:
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32
4. Click ok when the change dialog appears.
iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
----
I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.
"Don't believe anything you read on the net. Except this. Well, including this, I suppose." --Douglas Adams
Also, read Broadband Reports' security forum thread for discussions and what people observed.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
This is hardly a "prevously unknown security hole." In fact, MS released a patch for it two weeks ago.
The exploit's new, but the vulnerability has been known for a while and is only still around because the patch doesn't work.
Also watch out for Google desktop search, as that caused a downloaded file to be run and exploited the machine.
S T(\1=(^/))" .WMF Extension Killed\k))"
.WMF [Kye-U]"
Kye-U also has released a filter for proxomitron that will block wmf file downloads:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "URL-Killer: Kill WMF Connection [Kye-U] (Out)"
URL = "(^*=(^http://./^([a-z]+{2,4})(^/))))*.wmf(*)\1$T
Match = "*&($CONFIRM(.WMF FILE EXTENSION FOUND\n\nAllow connection to the URL below?\n\n\u\n\1)|$SET(1=URL with
Replace = "\1"
[Patterns]
Name = "Kill
Active = TRUE
Bounds = ""
Limit = 256
Match = "*.wmf*"
Replace = "$ALERT(.WMF Extension Killed on:\n\n\u)"
Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
The exploit was published by HD Moore after reverse engineering some malware. HD Moore is absolutely a very prominent researcher and hacker. Secondly the person(s) who discovered the vulnerabilty and wrote the initial malware to exploit it are also hackers. Even by the historical definition. Intent has no bearing on the term. Skill does. And you can't tell me discoverying a 0day affecting any MS platform doesn't require skill. There are tens of thousands of researchers out there right now who can't.
They're not hackers, they are crackers.
UUuummm no. Ever since the 1980's underground scene the word cracker has refered to a person who breaks the protection on copywritten software. It was that way for years until that ruddy faced blowhard "ESR" decided to start using the term "cracker" as a synonym for "computer criminal."
Talk about hypocrisy. ESR gets all pissed about the media misusing the word hacker so he turns around and starts misusing the word cracker. And because of his position as editor of "The Jargon File" he has influenced the web culture (newbies at least) that the word cracker is synonymous with cybercriminal even though anyone who was in the pirate scene back in the eighties can tell you that a cracker was by the following DEFINITION:
"Software cracking is the modification of software to remove encoded copy prevention. Distribution of cracked software (warez) is generally an illegal (or more recently, criminal) act of copyright infringement. Software cracking is most often done by software reverse engineering."
- computer systems should not be released until they pass some theoretical threshold of security
- and if the above is not done, then the authors of said systems shall be held (financially? criminally?) liable.
In other words, you have just basically killed off free (both as in beer and as in speech) software as we know it.Not to mention about the fact that we're talking about an exploit in an older DLL that has gone unnoticed for years. Exactly how many years until your theoretical notion of "reasonably" safe is met? If you dont think (OS of your choice) has similar weaknesses, you are deluding yourself. And so what if it 'affects only one user, not the whole system?' To that user, that IS his world.
From F-secure's blog:
Repton.
They say that only an experienced wizard can do the tengu shuffle.
No, you just have to visit a porn site with Internet Exploder to get automatically infected by this worm. It doesn't require any user action, apart from clicking links in normal browsing.
If you are using Firefox, then what you say is true, since FF requires the user to confirm that he really wants to run the malicious program, so the user actually has to click a confirmation button. The infection is not automatic on FF.
Oh well, what the hell...
"Update, 12:30 p.m. ET: Several security groups are reporting that it is extremely easy to get whacked by this vulnerability/exploit just by visiting one of a growing number of malicious Web sites that are now employing this attack. F-Secure's blog post on this indicates that -- because the vulnerability lies in the way Windows parses WMF image files -- Firefox and Opera users also can get infected -- although they at least have to agree to download and run a file first"
.wmf movie in Firefox. I did not click/agree/install anything else.
That's what they say in the article but the only thing I did was to open a
The thing just auto-installed it-self from that point.
On x86 processors (and probably most others), the stack pushes backward in memory. Each function call pushes the return address onto the stack. Because the stack pushes backwards, a buffer overflow will overwrite the previously pushed values that follow it in memory. So when the overflowed function returns, it'll return to the new address that has been written by the overflowed buffer.
Good stack overflow exploit code is pretty reusable for exploiting newly discovered stack overflows with little modification, which makes these exploits appear so quickly after a new vulnerability is discovered. There's also something called a heap overflow, but using it to run executable code is quite a bit harder and must be tailered to each specific vulnerability.
Internet Storm Center Coverage - Alert moved to yellow as of this morning. http://isc.sans.org/diary.php?rss&storyid=975/ wmf-movie.wmv it shows step-by-step what happens to a clean machine as it gets exploited by this new menace.
Also, take a look at this movie from websense: http://www.websensesecuritylabs.com/images/alerts
Horns are really just a broken halo.
Umm, numbnutz, there is no patch there. Just an advisory.
This thing is nasty! I was browsing the internet this afternoon and got it. I have a fully patched copy of Windows XP SP2 with Symantec Antivirus Corporate 9.0. Neither stopped it. I spent about 6 hours running virus scans, Ad-Aware, and Spy-Bot in safe mode. This didn't even come close to detecting everything. I had to manually remove files based on searches by creation date. Interestingly, none of the three tools picked up any of the DLLs mentioned in the next paragraph.
...". I clicked on this and ... WHAM! Here's the Google search - http://www.google.com/search?q=cache+killer&hl=en& lr=&start=0&sa=N. It's the last link on the page - h**p://www.crackz.ws/down/25335/Cache.Killer.Pro.v 5.0_crack_serial_keygen.html. This is the page that contains the ad within an ad within an ad. Beware!!!
I traced it to an ad within an ad within an ad that sources a WMF file in an iframe. If you want to see this thing in action then use VMWare to load the following link: h**p://iframeurl.biz/dl/xpladv470.wmf. After all is said and done, you'll have trojan.byteverify, trojan.dropper, trojan.bookmarker, download.trojan, w32.conycspa.G@mm, backdoor.shellbot, backdoor.trojan, w32.looksky.A@mm, among others. I also had some new DLLs that were particularly hard to get rid of - msupdate32.dll, msctl32.dll, uytpu.dll, qrlmq.dll - all in the system32 directory.
This has actually never happened to me. I am religious about keeping Windows and my antivirus software up-to-date. It was a good learning experience to see it all in action.
And, by the way, I was not browsing for porn. I was doing a google search for a old Macintosh program named Cache Killer. One of the links listed was "Download Cache Killer Pro v5.0 crack / keygen / serial / patch
A few people on this thread don't seem to be familiar with the WMF format or GDI. This format provides for a set of commands which are supposed to be graphics only. (I guess they got carried away in this case.) As the viewer is basically a scripting engine, the exploiters would certainly try to target it for vulnerabilities. I don't have a copy of the dangerous file, so I don't know whether this particular exploit is a buffer overflow or something else.
.. paranoid crackpot leftover from the days of Amiga.
That address has to be somewhere in the memory mapped to the currently executing process. That includes both the memory used to store the program code as well as the memory used to store any data. The x86 doesn't understand a difference between the two, and until x64 also had no way of marking sections of that memory as non-executable. So the combination of non-protectable memory, a reversed stack and the return address being stored on the stack, combined with languages that have no inherent bounds checking, and you have the recipe for disaster.
All you have to do is find a method with a buffer on the stack of a set size which uses a function to write to the buffer which does not accept and enforce a maximum length and pass it much more data than it expects. The first few bits of extra data will overwrite some of the local variables, if any exist, and the return address of the function. The rest can be the executable code that you wish to call. With a little tweaking you can determine where in memory that executable code will be written so you can target the return address to that location. That's all it really takes.
The No-Execute flag of x64 CPUs help. The stack memory isn't executable so while the overwrite will be successful the return address will point to a section of memory which cannot be executed and the program will fail. However this requires hardware upgrades. DEP and their kin attempt to emulate NX through software however that imposes performance penalties and is not as pervasive as the NX flag.
There are also compiler tricks to try to prevent this problem. One is the canary method where a piece of data is written to the stack just before the return address. This piece of data is randomly written each time at the very beginning of the method and is copied into a second section of the memory as well. At the end of the function it checks to see if the piece of data in the stack still matches the second copy of that data. If not it assumes that something has overwritten a buffer which has changed the return address and the program crashes. These methods are, however, not perfect. It is assumed that a simple canary mechanism will catch 60% of the types of overflows that can be exploited, but that these are the most common vulnerabilities. Of course, to actually be protected the program has to be recompiled with a compiler that supports automatically inserting the necessary code.
You'd think that this would have been one of those obvious things that should have never been possible. However, 25+ years ago nobody thought about security at all, and we suffer today as a result.
According to F-Secures weblog they really didn't have to open the file, it was enough that Google Desktop Search indexed the file..
I'd read this before you take your chances, because it appears as though the exploit will work when the .wmf is disguised as a .jpg (or other extensions)
The WMF format is simply a stream of GDI commands. GDI (Graphics Device Interface) is the Windows API and abstraction layer for graphics, allowing the same set of drawing functions to be targetted at a variety of different "device contexts" such as printers and the screen.
A WMF file is (traditionally) created by obtaining a device context on a file and drawing to it using the GDI API functions, which "records" the sequence of commands to disk ready to be replayed later to recreate the image. These days, of course, there are libraries and applications which read and write WMF files directly, such as libwmf. There's little practical use for this format outside of Windows development, however.
There's a second format called "Enhanced Metafile" (EMF) which is a newer, 32-bit version of the WMF format introduced with the 32-bit Windows API.
Beating the rogue access point (AP) dead horse a bit here, and spelling it out for those who don't "get it".
Badguy creates hostile "website" with Windows exploit. Badguy goes to local airport terminal or Starbucks and pretends to be a legitimate wireless hotspot using Airsnarf or similar rogue AP utility. Badguy FORCES any user who joins wireless network to browse the hostile website that has the Windows exploit. User gets owned. Lather, rinse, repeat.
You can do this to your neighbor, too, if they have an open access point. FYI.
The point is that it does NOT require coincidental surfing of hostile websites to gather and exploit targets with a Windows 0-day these days. The rich and elite road warriors carrying all their financial and corporate data with them are prime targets. Attackers with rogue AP setups can make easy money from hotspot users by FORCING them to browse a hostile "website" with a rogue AP "splash page".
Particularly vulnerable, are hotspot users that have the Windows operating system installed and use IE as their default browser.
Sincerely,
Beetle
The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.
Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.
I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.
I hear there's rumors on the Slashdots