Exploit Released for Unpatched Windows Flaw

woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""

Easy workaround to avoid the exploit

[kawika]

Unregister the dll that provides WMF viewing. Click Start, Run, and enter this:

    REGSVR32 /U SHIMGVW.DLL

Sunbelt has more detail here.

Re:Easy workaround to avoid the exploit

Just my own experience... After issuing the reg command I was unable to view thumbnails in explorer of jpegs taken by my camera. I was also quite unable to open any of them until I issued the command to register the dll again ( regsvr32 shimgvw.dll ).

Re:They call hackers researchers now?

[dorkygeek]

They're not hackers, they are crackers. Or intruders. Or black hats. Or fucking idiots. But not hackers. Linus Torvalds is a hacker. Alan Cox is one, and RMS definitely. Maybe even ESR.

Thank you.

Upside.

[grub]

With Vista you'll be able to get this from the comfort of an RSS feed!

Fix from article

[Rangsk]

Here is the fix, from the linked article in case you DNRTFA:

----
According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
----

I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.

Re:Fix from article

[CargoCultCoder]

I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.

regsvr32 registers a COM/ActiveX "server" by modifying Windows registry entries. So, in theory, you need only run it once.

It is possible, however, that if you later install other software, the installer may re-register the DLL in question, in which case you'd want to manually unregister it again.

(Hmm. I suppose it's only coincidence that this novel approach to registering appeared on thedailywtf yesterday...)

Broadband Reports' Security Forum Thread...

[antdude]

Also, read Broadband Reports' security forum thread for discussions and what people observed.

Scary.

Surfing for porn with IE on Windows is like having unprotected anal sex with everybody on the internet.

Re:Scary.

[k00110]

"Update, 12:30 p.m. ET: Several security groups are reporting that it is extremely easy to get whacked by this vulnerability/exploit just by visiting one of a growing number of malicious Web sites that are now employing this attack. F-Secure's blog post on this indicates that -- because the vulnerability lies in the way Windows parses WMF image files -- Firefox and Opera users also can get infected -- although they at least have to agree to download and run a file first"

That's what they say in the article but the only thing I did was to open a .wmf movie in Firefox. I did not click/agree/install anything else.
The thing just auto-installed it-self from that point.

Re:They call hackers researchers now?

[GaryPatterson]

You're fighting a lost battle there. The common understanding of the word 'hacker' now implies criminal behaviour.

The whole 'white hat' and 'black hat' thing never made it to the media, so all hackers are 'black hats' now.

Re:They call hackers researchers now?

[ninja_assault_kitten]

The exploit was published by HD Moore after reverse engineering some malware. HD Moore is absolutely a very prominent researcher and hacker. Secondly the person(s) who discovered the vulnerabilty and wrote the initial malware to exploit it are also hackers. Even by the historical definition. Intent has no bearing on the term. Skill does. And you can't tell me discoverying a 0day affecting any MS platform doesn't require skill. There are tens of thousands of researchers out there right now who can't.

Re:They call hackers researchers now?

They're not hackers, they are crackers.

UUuummm no. Ever since the 1980's underground scene the word cracker has refered to a person who breaks the protection on copywritten software. It was that way for years until that ruddy faced blowhard "ESR" decided to start using the term "cracker" as a synonym for "computer criminal."

Talk about hypocrisy. ESR gets all pissed about the media misusing the word hacker so he turns around and starts misusing the word cracker. And because of his position as editor of "The Jargon File" he has influenced the web culture (newbies at least) that the word cracker is synonymous with cybercriminal even though anyone who was in the pirate scene back in the eighties can tell you that a cracker was by the following DEFINITION:

"Software cracking is the modification of software to remove encoded copy prevention. Distribution of cracked software (warez) is generally an illegal (or more recently, criminal) act of copyright infringement. Software cracking is most often done by software reverse engineering."

Genius Idiots.

[mumblestheclown]

The people who took advantage of this loophole did so with a clear economic motive. This is because the loophole is used basically to a) install spysherriff, a bogus anti-spyware program and try to get the user to pay for it with a credit card b) install surfsidekick and other idiot spyware programs c) install a spam sender, in order to make a few more billionths of a cent.

In other words, whatever asshat took advantage of this loophole did so because he thought he could make a buck. If his goal was simply to bring Windows to its knees, cause havoc, or make a political/economic statement of some sort, he would have chosen something else. Wiping out My Documents of all the infected machines, for example.

Whoever did this is obviously deluded. While some money will of course ultimately flow from this nonsense to the "see no evil" people who are the beneficiaries of spamvertisements, spyvertisements and so forth, the actual exploiter basically has little to know chance of getting it (even if he is in Russia, as I'd suspect is a good bet) as his affiliate commission links will be tracked, as will wherever the hell that credit card box for SpySherriff was pointing to and so forth.

So we have somebody smart enough (and make no mistake, it takes some smarts) to either discover or be in a small clique of people discovering a quite obscure loophole (it must be obscure, given just how old the affected .dll is), but have ABSOLUTELY NO FUCKING CLUE how to go about exploiting it other than in the most juvenile and unlikely way to fail imaginable. Furthermore, even though it is likely to fail, the guy has shown himself to basically be a psychopath, with little to no concern about the hundreds of thousands of hours (read: PEOPLE-LIFE-EQUIVALENTS) that will be spent agonizing over and fixing this.

Whoever that person is, they are human filth. But, there's a lot of human filth out there. The sad thing is that this person obviously has potential to do so much more but simply pisses it away intead. Pathetic.

Watch out for Google Desktop

[Repton]

From F-secure's blog:

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

Re:Not Previously Unknown

[Martin+Blank]

It's completely new. The WMF patch released before does not protect against this exploit.

http://www.securityfocus.com/bid/16074

Re:Not Previously Unknown

MS has released a patch for it...

so that explains why fully patched systems are still vulnerable, yes?

I guess you are really not doing your research. Read the Sunbelt article:
http://sunbeltblog.blogspot.com/2005/12/new-exploi t-blows-by-fully-patched.html

particular where it says: "We saw a new nasty exploit yesterday around 5:00 PM. This is a totally new exploit and is not the same one posted by FrSIRT back on 11/30/05."

The previous one they referred to is here:
http://www.frsirt.com/exploits/20051130.MS05-053.c .php

Microsoft Windows Metafile (WMF) "mtNoObjects" Header Remote Exploit (MS05-053)
Date : 30/11/2005

Advisory ID : FrSIRT/ADV-2005-2348
Rated as : Critical
Note : Proof of concept exploit (DoS) /*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile (WMF) from this code when viewed in explorer crashes it.
* The issue is seen when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
* The code was tested on Windows 2000 server SP4. The issue does not occur with the
* hotfix for GDI (MS05-053) installed.

This is the one that has been patched by Microsoft.

I guess you thought it's just not possible for there to be more than one hole per rendering engine, right?

Re:How/Why does thi skeep happening

[HermanAB]

It is a carefully crafted buffer overflow in the stack causing a return address to be overwritten. A subroutine return instruction then jumps to the exploit code, instead of the parent routine. This an old trick to implement dynamic jump tables, exploited for malicious purposes.

Re:But ...

[HermanAB]

No, you just have to visit a porn site with Internet Exploder to get automatically infected by this worm. It doesn't require any user action, apart from clicking links in normal browsing.

If you are using Firefox, then what you say is true, since FF requires the user to confirm that he really wants to run the malicious program, so the user actually has to click a confirmation button. The infection is not automatic on FF.

Re:How/Why does thi skeep happening

[dtfinch]

On x86 processors (and probably most others), the stack pushes backward in memory. Each function call pushes the return address onto the stack. Because the stack pushes backwards, a buffer overflow will overwrite the previously pushed values that follow it in memory. So when the overflowed function returns, it'll return to the new address that has been written by the overflowed buffer.

Good stack overflow exploit code is pretty reusable for exploiting newly discovered stack overflows with little modification, which makes these exploits appear so quickly after a new vulnerability is discovered. There's also something called a heap overflow, but using it to run executable code is quite a bit harder and must be tailered to each specific vulnerability.

Nasty!

[sdh968251]

This thing is nasty! I was browsing the internet this afternoon and got it. I have a fully patched copy of Windows XP SP2 with Symantec Antivirus Corporate 9.0. Neither stopped it. I spent about 6 hours running virus scans, Ad-Aware, and Spy-Bot in safe mode. This didn't even come close to detecting everything. I had to manually remove files based on searches by creation date. Interestingly, none of the three tools picked up any of the DLLs mentioned in the next paragraph.

I traced it to an ad within an ad within an ad that sources a WMF file in an iframe. If you want to see this thing in action then use VMWare to load the following link: h**p://iframeurl.biz/dl/xpladv470.wmf. After all is said and done, you'll have trojan.byteverify, trojan.dropper, trojan.bookmarker, download.trojan, w32.conycspa.G@mm, backdoor.shellbot, backdoor.trojan, w32.looksky.A@mm, among others. I also had some new DLLs that were particularly hard to get rid of - msupdate32.dll, msctl32.dll, uytpu.dll, qrlmq.dll - all in the system32 directory.

This has actually never happened to me. I am religious about keeping Windows and my antivirus software up-to-date. It was a good learning experience to see it all in action.

And, by the way, I was not browsing for porn. I was doing a google search for a old Macintosh program named Cache Killer. One of the links listed was "Download Cache Killer Pro v5.0 crack / keygen / serial / patch ...". I clicked on this and ... WHAM! Here's the Google search - http://www.google.com/search?q=cache+killer&hl=en& lr=&start=0&sa=N. It's the last link on the page - h**p://www.crackz.ws/down/25335/Cache.Killer.Pro.v 5.0_crack_serial_keygen.html. This is the page that contains the ad within an ad within an ad. Beware!!!

The file extension is not critical

[whitehatlurker]

I want to point out that the file extension is not used exclusively for file type detection, and the magic string at the beginning of the file will trigger the use of the WMF processing. A ".tiff" extension will also work in a similar manner. (Likely there are several good candidates.)

A few people on this thread don't seem to be familiar with the WMF format or GDI. This format provides for a set of commands which are supposed to be graphics only. (I guess they got carried away in this case.) As the viewer is basically a scripting engine, the exploiters would certainly try to target it for vulnerabilities. I don't have a copy of the dangerous file, so I don't know whether this particular exploit is a buffer overflow or something else.

this may sound bad but

[Revek]

Hell bring it on. I opened my own shop about 4 months ago and can clean most anything off a machine. Its 95% of my buisness so far and im tired of being poor. This week alone Ive cleaned 8 xp home boxes all still sp1 with no antispy or antivirus still running. Only one of the machines needed parts. It had a winlogon popup running that killed windows update and automatic update (senslogn key was missing). I think the real proplem with the current state of affairs is not that the exploits are produced and released but that microsoft builds to fast and to often. They need to can vista and put more R&D into fast fixes. If they want discreet disclosure of exploits they should offer $$ for it. Just tell them and get a check :)..... nah never happen they will just build the new big security hole called a OS.

Re:Just checking...

[Lehk228]

no, 5 years to stop the flood of wormable remote exploits isn't "pretty tight"

Re:They call hackers researchers now?

[Ignominious+Cow+Herd]

The last scene was interesting from the point of view of a professional logician, because it contained a number of logical fallacies, that is invalid propositional constructions and syllogistic forms, of the type so often committed by my wife.

"All wood burns", states Sir Bedivere. Therefore he concludes, "all that burns is wood". This is, of course, pure bullshit.

Universal affirmatives can only be partially converted; all of Al McCogan is dead, but only some of the class of dead people are Al McCogan. Obvious, one would think.

However, my wife does not understand this necessary limitation of conversion of a proposition, so consequently she does not understand me. For how can a woman expect to appreciate a professor of logic if the simplest cloth-eared syllogism causes her to flounder.

For example, given the premise all fish live underwater and all mackerel are fish, my wife will conclude not that all mackerel live underwater, but that if she buys kippers it will not rain, or that trout live in trees or even that I do not love her any more.

This she calls "using her intuition". I call it "crap" and it gets me very irritated because it is not logical.

"There will be no supper tonight!", she will sometimes cry, upon my return home. "Why not?", I will ask ask; "Because I have been screwing the milkman all day!", she will say, quite oblivious of the howling error she has made.

"But", I will wearily point out, "even given that the activities of screwing the milkman and getting supper are mutually exclusive, now that the screwing is over, surely then, supper may now logically be got."

"You do not love me anymore!" she will now often postulate. "If you did you would give me one now and again, so I would not have to rely on that rancid Pakistani for my orgasms."

"I will give you one", I now scream, "after you have gotten my supper, not before." as you see, making her bang contingent on the arrival of my supper.

"Good, you turn me on when you're angry you ancient brute", forcing her sweetly throbbing tongue down my throat.

"Fuck supper!" I now invariably conclude, throwing logic somewhat joyously to the four winds. And so we thrash about on our milk-stained floor, until we sink back exhausted onto the cartons of yougurt. ...I seem to have strayed somewhat from my original brief. But in a nutshell, sex is more fun than logic. One cannot prove this. But it is in the same sense that Mt. Everest is or that Al McCogan isn't.

Good night.

(from the Soundtrack, of the Trailer, of the Film, of Monty Python and the Holy Grail)