Slashdot Mirror
Interview with Ilfak Guilfanov (WMF Patch Hero)
GrayWolf42 writes "SecuriTeam Blogs has posted an interview with Ilfak Guilfanov, one of the people developing the IDA Pro disassembler, who also happens to have written the unofficial WMF vulnerability patch. In this short interview he discusses the patch, how it works, and why he wrote it." From the article: "Q: When you heard of this vulnerability, you created a temporary patch to close the hole until Microsoft updated its software. Could you tell us more about what the patch does? A: The patch just removes this powerful command. It does not do anything else. The fix modifies the memory image of the system on the fly. It does not alter any files on the disk. It modifies [the image of] the system DLL 'gdi32.dll' because the vulnerable code is there." Microsoft has released an official update, which you should be able to download from the windows update site.
Seems like the site also provides with a binsiff output of the Microsoft patch: http://blogs.securiteam.com/index.php/archives/184
The "SecuriTeam Blogs" site has been a very good source for real-time security information since it came online.
MS deserves bashing for the flaw, but there's a difference between an untested one-man release, and the official, QA'd patch. Part of the reason Microsoft couldn't release a patch immediately is because they need to make sure their fix doesn't break snything else.
The theory of relativity doesn't work right in Arkansas.
I think the /. post should link to Microsoft Update and not Windows Update. Microsoft Update will patch MS Office and other products as well as Windows.
It's one step closer to "apt-get update; apt-get upgrade".
So this is a design issue?
Yes, it is a design issue.
I would think the MS would have a department of crackers and hackers to try to do shit like this. Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?
http://thisweekintech.com/sn21
The guy removes one line of code and becomes famous almost instantly.
Why didn't anyone a Microsoft think of this solution? They might have been put in charge of their own security team.
He who knows best knows how little he knows. - Thomas Jefferson
Whenever I go to the windows update site, all it finds is the Office SP3 patch. When I try to download it manually, IE crashes. I'm not sure if windows update grabbed it automatically, or if Windows is just POS software.
From SecuriTeam Blogs: Is there anything that you think should be done to make vulnerabilities like this less dangerous in the future?
Good design and good coding practices, but that is easier said than done.
But shouldn't that be everybody's focus? We're seeing a lot of articles this week on coding practices, bugs, and vulnerabilities, and it all boils down to how hard every programmer is going to work to eliminate them. It's unrealistic to think that there will be no bugs in any piece of code, but if there are to be bugs/vulnerabilities, their impact should at least be minimized. And it's going to take teamwork; the day of the lone programmer capable of wiping out the bugs is long over.
GetOuttaMySpace - The Anti-Social Network
Windows security is a joke. The only solution to cope with the delay between an exploit and its fix is to reimage Windows to its fresh-install configuration, and reapply all the patches from first to last with networking off. Microsoft doesn't make that easy to do.
As soon as MS updates gdi32.dll, his fix mill not work and/or make something bad happen...
http://www.microsoft.com/technet/security/bulletin /ms06-001.mspx
Why would they need to hire a department when there's a whole world of people willing to do this for free? ;)
MS should have been all over this once the news hit. Why did it take them so long to get a patch out the door for this vulnerability? I suppose I could understand that it was the holiday, but even then, with 90%+ marketshare, you have an obligation to get that patched up ASAP. This could have been a lot worse than it is/was, but I think the pressure from outside and the release of the "unofficial" patch is ultimately what got MS off it's collective ass and back to work.
My MythTV HowTo
Leo Laporte and Steve Gibson also interviewed him yesterday in their very professional sounding security podcast.
I love how the Slashdot Windows logo is a broken window, but all of the other OSes on this site have prefectly legit logos representing their topics. Must be a shout-out to all the Windows haters out there... Could we get a legit logo for Windows topics here? Something like this?
Ironically, I thought you said lowercase 1 (one).
There's also a very good podcast interview Ilfack did with Leo Laporte. If you'd like to check it out, here's the direct link.
Why not just auto-scramble the DLL code on the fly for every installation of the Windows OS?
That would mean buffer overflows are essentially defeated on a vast majority of cases? One simple thing we could do would be to insert random NOP's in DLL's, making the buffer overflow get the correct offset wrong most of the time and thus fail to work. I'm sure there are dozens of more clever ways to achieve this, in a completely general sort of way.
The reason these attacks spread is that the binary code is essentially a monoculture crop -- all clones of each other. Why not take the SID of a system, or some GUID, and use it to morph all the binary images on a system in a unique way for that system?
Since lots of attacks use NOP's, XOR'd code, and other techniques to avoid being detected as code, why don't we apply the same techniques to our binary objects to obfuscate them from the attacking code?
Paul Sop
From the article:
:-(
:( bummer!
You will have to download from one of the better-connected mirrors, as poor Ilfak has already had to move hosts once. I guess he's a victim of his own popularity.
Why can't we get credit for THAT?
Weird, here what I got when clicking the windows update link :)
Thank you for your interest in obtaining updates from our site.
To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
I agree with "User 956 (568564)", this type of thing should not be encouraged. What if that custom patch had some sort of flaw that resulted in some major problem or data loss?
Maverick patches are the last thing we need. And now, since this guy is getting a bunch of press, we will have 90 million hackers trying to be the first to release a patch for the next MS bug. And next time, it might not be so stupidly simple to fix.
Why not take the SID of a system, or some GUID, and use it to morph all the binary images on a system in a unique way for that system?
Now that sounds quite similar to M$'s "(un)Trustworthy Computing" bit. Since the keys and the encryption algorithm both reside on any given system, the decryption must take place within a (hardware embedded) subsystem in order to prevent the system software from being compromised. Uh, what happens if I want to install LINUX, or even when I just want to reinstall Windows? Absent hardware encryption and hardware checking, I don't see how such a scheme can be made secure, and I think you will find that the majority of /.'ers are vehemently opposed to embedded hardware preventing valid users from installing valid software on their systems (a known and expected result of implementing M$'s "(un)Trustworthy Computing" protocols).
For the record, I can only recall one instance where it was more reasonable to reinstall LINUX than to fix it; my experience with Windows, however, includes many reinstalls. Software-based encryption means that it will be difficult at best to rescue files from a compromised system; hardware-based encryption means that M$ (via the agency of your hardware manufacturer) pwns j00r 50u1.
Palladium, anyone?
According to the "download from the Windows Update site" link, Microsoft doesn't want me to update:
"To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website."
I guess Firefox isn't good enough.
I think if MS did that, it may slow down the search for exploits until someone comes up with the de-scrambler. If the starting point of the scramble is on the system, the hackers will have a starting point to break it. From there it's just a matter of time until someone comes out with the crack. Just like any copy protection scheme. DenDude
A Haiku: my language choices/assembler pascal lisp c/old school programmer
Or just do what OpenBSD does: Make writable memory non-executable, make executable memory non-writable. This bit of common sense is disappointingly rarely implemented.
Russians all da way bro. Best hackers in a world are russian hackers.
Thanks, comrade. And also thank you for the extra bandwidth and hard-drive space. Your zombified box is helping us spread our spam to the proletariate.
That's all reversible information, though. Somewhere, for an executable to work, this information would need to be stored, and on the disk. Considering that nothing stored on disk is completely secure, I don't see this as a viable option.
Consider the GUID option: That GUID is going to have to be known so that everytime a new DLL or EXE or other executable code file is copied, on an OS level, to the system, that it be modified to include the correct jump points. It would be trivial to write a hack that grabs this GUID stored somewhere. Knowing that this GUID is used to jumble the locations of a process, the whole thing could be "undone". Even if you were to generate the GUID on the fly (with each execution) the problem arises that the original executable code is still on the disk somewhere- and that you can get at that file. The only security this creates would be fleeting, because it depends on the method of "encrypting" the file with the GUID be secret or that the method the GUID is created with be secret. Otherwise, it's all easily repeatable by anyone who takes the time to determine how the GUID is generated.
Even in a best-case scenario, in which the GUID is generated based on some known information and some pseudo-random information, applied on execution of the file on the OS level, and then the file is run from memory, could still fall prey to some easy hacks: Patterns. If the file is ever stored on the disk, it can be analysed, patterns generated from it, and memory locations could be determined from that.
Basically, any executable stored is vulnerable to this unless the code is secure to begin with. Instead of patching the entire system with a solution that is more of a cold medicine-style fix, the key is to have both have engineers design good specs and to have programmers write better code.
This would not prevent procedure call hijacking attacks, where an existing call to a procedure is given specially crafted parameters. Nor would it prevent exploits from using system calls directly. Just like preventing execution of code in the stack segment, the measure would make attacks harder, but would not prevent them.
You're an immobile computer, remember?
I think Microsoft deserves a great deal of criticism for their response to this exploit. Let's face it, exploits will always be a fact of life. How we deal with them is what separates the kids from the adults.
In this context I find it quite amusing that Guilfanov was able to make a quick and effective fix without the benefit of the source code for gdi32.dll. In contrast the folks at Microsoft thrashed around for more than a week before realizing the significance and the simplicity of the fix.
I wonder how many more times this sort of thing will have to happen before people realize what a poor job Microsoft is doing managing their security flaws. What are people paying them for, anyway?
Nearly fifty percent of all graduates come from the bottom half of the class!
Has anybody written a scrambler like this for generic executables? Of course it wouldn't have fixed this bug, but it could be very useful in the future.
h tm
Is this along those lines?:
http://www.itlocation.com/en/software/prd54552,,.
(T>t && O(n)--) == sqrt(666)
It's hard to descramble something that is random, or pseudo random. There is no 'key' to break as it were.
:)
Further, the descrambling code would have to be on the system in the first place to begin the descrambling.
Also, the loader could randomize each peice of code each time it was loaded, or possibly even while it was running.
Kind of like Java's 'Hot Spot' run time optimizer, but geared towards making the code running functional, but unknowable, even to a debugger -- at least in practical cases I can think of this afternoon
Paul Sop
Fair enough.
What if the number was more random? Wide spectrum radio receiver in a chip, spitting out entropy?
Paul Sop
http://www.datarescue.com/freefiles/funnyad.jpg
Their database is down, and the error message says the DB server is "localhost". Their webserver is listening on a world-facing interface on 3306. Leet!
as reported on zdnet.com
I'm not saying these are (necessarily) insurmountable, but:
One doesn't really have _full_ flexibility in binary layout. There are issues like word alignment to be aware of.
Windows needs to know how to get the address of a symbol, by name, dynamically. Even if you change the address underneath, the exploit only needs to call a routine to just call the moved function by name.
One of the advantages of DLLs is that the text (code) segments are shared cross-process. If you want to make the loader muck with the images per-process, you effectively have static libraries. This is lethal on server type applications with hundreds or thousands of separate address spaces.
Note that if you _dont_ do per-process space scrambling, your exploit can just scan its entire address space to see where the relocated stuff is, because it will be the same in all the other address spaces on the box.
Finally - this was a spec defect - my understanding is that the code is actually running as designed.. it's just a facility that has no business in a modern, assumed-hostile computing world.
My opinions are my own, and do not necessarily represent those of my employer.
Why not just auto-scramble the DLL code on the fly for every installation of the Windows OS?
Because adding NOOPs will not change the behavior of the functions. Especially case in point, it would not have blocked this security hole. Nor would it really block any security hole.
Exploits just attempt the exploitable behavior and if it works, then it works, if it doesn't then the exploit fails, but who cares? and it continues on.
The problem with buffer overflows is the regularized position and size of the STACK and FUNCTION HEADER, this has absolutely nothing to do with the code itself. One could easily design a random-like stack adjustment that would protect from buffer overflows while still having the code remain exactly the same on every computer.
I am unamerican, and proud of it!
Are you guys serious? This man is not a hero. He may be a clever programmer, talented security analyst, or an all around nice guy. No one is a hero for releasing a security patch. Heroes risk their lives for other people. Heroes are full of courage and strength. Heroes do not write security patches.
This may come as a shock, but you don't end up becoming a hero by sitting in your parents basement, drinking mountain dew, and trying to find the latest security exploit. If that's your aim you should probably step outside once in a while and do something worthwhile.
Microsoft apologist/lackey Rob Enderle says NOT to use this patch.....
There's also an interview with him in yesterday's Security Now! podcast
http://www.twit.tv/
Insert Sig Here
That's exactly what the Data Execution Prevention (DEP) is. It requires XP SP2 and a CPU that has the NX bit (or I forgot what Intel called the "we didn't copy this form AMD" bit). In fact, it appears that DEP does stop the exploit.
In other news it is unclear if Microsoft will press charges under the DMCA, since this person is clearly a criminal because only by reverse engineering the Windows OS would it have been possible to create this patch...
Seven puppies were harmed during the making of this post.
Sure.* Tools|Options or Edit|Preferences, Content tab, change default font, click Advanced, and change the font for the appropriate languages. I'm not sure as which one Slashdot comes up--because I have all my fonts set to the same thing--but this does work.
*- Disclaimer: This is for Firefox 1.5. Opera's configuration is similar, though may involve using a CSS.
In addition to W^X they have:
or bundle yet another software package illegally
The evil! I understand what you mean, but honestly, Evil? Evil is what happens when one person kills another person. Evil is not giving someone software for free. Its not a word that should be used so lightly. Yes microsoft is very annoying and their behavior has served to hinder competetion for years and yes much of it is illegal. But its not evil. Does it really make you feel better to look at a broken window? I suppose in a secular society that no longer believes in the devil or any real kind of evil, we are forced to invent the devil in the immage of someone we don't like (ie Bill Gates)and call everything he does "evil". Thus because we are not him, and actively support those that compete against him, we are "good" and by all measures saints. Just as long as we don't violate the fourth commandment by bundleing free as in beer software with our non opensource monopolistic software!
Well.. maybe. Or Maybe not. But Definitely not sort of.
I run an embedded software writing firm, and have had the good fortune to work with several Russians and others from that general part of the world. One said he'd do the first job free so I could see how good he was, and did something that would have taken my guys maybe a couple weeks in only a couple of days. Since this was both gui and presets related for a ton of little things that all had different gui and preset requirements and all the gui modifications were in good taste and true to the original style, I was VERY impressed. Know what? I went ahead and sent him a good chunk of change. Go Vladimir R!
Look on kyeu.com forums (I think it was).
hardware DEP does stop the exploit under certain conditions, but installing other (seemingly unrelated) code invalidates the protection (because they are binaries packed with some special software and MS turns off DEP for those binaries since they wouldn't work otherwise).
I'm surprised DEP worked at all on this, the flaw is a design flaw, not a buffer overflow exploit.
http://lkml.org/lkml/2005/8/20/95
Because he criticized MS? His point is valid. Somebody mod that mod. Ilfak's patch worked well enough that security firms were recommending it in a shorter time than it took MS. There's no flamebait here unless we've suddenly transferred us to the Microsoft forums.
See here.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Even though the site has taken a rather plain-jane approach in recent times, it's quite legible here.
In fact, this gets me thinking that just a rotating use of stack base pointer in new processes would force exploits to be more clever... That, and arbitrary code relocation, is far easier than actually mangling the code.
"Canaries" as safeguards on the stack and no execute of writable memory combined might give you a pretty good improvement, but they are still vulnerable. The SetAbortProc exploit here could, even with DEP, possibly be targeted against a suitable API address and attack the system.
I just updated Windows with the new patch and !!Whammo!! all the /. posts are black where all I can read is the subject and links. Anyone else have this problem? Works fine in Firefox and Opera though...so I could really care less. Just curious if anyone else is having the same issue.
--------
I just /.ted your Mom.
Now, you could ask, why don't Microsoft improve the PE format so it works more like ELF, use the new format for their own system DLLs and then randomize them. And you'd have an interesting question - I don't know why not. Presumably it's considered very difficult, I know that a few Microsoft employees have mentioned they hate touching very low level code like the linker because so few people understand it these days and it's so easy to break things.
The latest Microsoft compilers do implement canaries to check for buffer overflows, and DEP too.
s tack-protection.pdf
There are still exploits for them though
http://www.ngssoftware.com/papers/defeating-w2k3-
The per process cookie isn't write protected, and exception handlers can be located on the heap.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Moderators and metamoderators: the parent's post is a humorous!
this comment is provided "as is" and without any express or implied legibility or congruity [...]
Bill, if you're really serious about security and customer service, release the patch for all Windows versions that contain the vulnerable code. Do it now, not after there are thousands of compromised systems. Old systems are a fact of life. They can't run XP, and the owners of hand-me-down systems can't afford to replace them just because you don't care.
Why does everyone keep referring to this as a zero-day exploit? This is a long-standing vulnerability which has existed since 1990. It has only recently been publicised, granted, but it is a 15-yr-old vulnerability. Those running older versions of Windows, which MS has graciously declined to support, are still vulnerable to this "design flaw". On the plus side, a zero-day exploit generally means an obvious hole - this hole has existed for years, and it's taken 15 years for it to be published. Is that really a Good Thing, though? It's a fscking big design flaw, at that - if in doubt, execute randomly-supplied code. It is right that MS have been under pressure to produce a patch for Windows XP, but there must still be pressure to provide patches for all versions of Windows which are vulnerable to such a wide-open and so easy to exploit flaw. It's not just about the risk - it's about the fundamentally poor design. Let's try the old, boring comparisons again (well, what else is there?) - if a car which has been sold over the past 15 years has a flaw (possibly known by "baddies" for the past 15 years) which means that the V5/pink-slip/ownership papers/call-it-what-you-will can be transferred remotely simply by driving through a bad neighbourhood, there would be an international outcry, and (even if that car was no longer on sale) the manufacturer would have to make a fix available, whatever the cost. MS should be pulled up on this, and pulled hard. Some guy "discovered" this flaw (I've never looked at WMF before, I'm sure most of us haven't, but presumably enough people have looked at it for compatability (I see that the WINE guys implemented it without spotting the flaw)) but from what I read, it's a documented "feature" of WMF that if an error occurs, then you can provide your own code to deal with the error. That must be tantamount to negligence - not in the original design, as it was written before MS realised that the internet existed, but in adding a TCP/IP stack to such code, without reviewing what code they were exposing to the internet. They spent however many $m on promoting Win95 and its internet features - what did they spend on ensuring that it was safe to put on the internet? What I really find interesting, is what else the code which discovered this flaw, could possibly discover? And who else has written similar software, but kept it to themselves for private reasons? Steve.
Author, Shell Scripting : Expert Re