Slashdot Mirror
WMF Vulnerability is an Intentional Backdoor?
An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
Isn't this the same Steve Gibson that was freaking out about how Raw Sockets in XP were going to destroy the world a couple of years ago?
/.?
S.G. is a flaming idiot, he looks for (and imagines) ghosts and spooks in every corner. Then flogs his conspiracy theories to promote himself and his buisness. This probably holds about as much water as the "discovery" of cold fusion and Korean human cloning.
Why aren't we reporting on REAL bugs like the 4 security vulnerabilities found in iTunes this week which opens both Windows and Mac users to external attack? Was the Microsoft bashing quota too low this week?
What is becoming of
Contrary to popular belief, coding is not all free blow-jobs and beer. Those things cost MONEY!
I browsed over several posts on his website and come away with the conclusion that he is a few fries short of a Happy Meal. Here's one posting that I found really amusing:
"Thank you Microsoft for blessing us with a patch to fix the products
you currently sell. The products that compete with Linux and Macintosh.
Excellent job at diverting the our attention away from the fact that
Windows 95, Windows 98, Windows 98SE, Windows Millennium Edition, and
Windows NT4 remain vulnerable. Neat trick convincing people that "the
vulnerability is not critical because an exploitable attack vector has
not been identified that would yield a Critical severity rating for
these versions."
Lemme see here. Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?
Ridiculous.
Basically, in the header block for a unit of WMF script contains a "length" field which specifies how long the current unit is. This is standard for this sort of file, and is the primary way to avoid buffer overruns (if you force the data to tell you how big it's supposed to be, and then double check that while reading, you make sure you have enough buffer space to store it all -- otherwise you might read too much, overrun the end of the buffer and trash an important function pointer or something..)
In this case, the smallest possible "length" value is 6, because the header itself takes 6 bytes, so even if the unit had no actual data, the length field itself and the unit's command code is a minimum of 6 bytes.
To trigger the exploit, the length must be set to 1. Not 2, 3, 0, or some other equally invalid value, but only the value "1". Any other value has no effect at all.
If that's the case, they chose a dumb place to put it, because the exploit doesn't even work on Windows 2000 and below without some program installed to handle WMF files. From Larry Seltzer's blog (linked from F-Secure):
http://blog.ziffdavis.com/seltzer/archive/2006/01/ 03/39684.aspx
That means that unless Microsoft used some OTHER backdoor to install a handler for it, this backdoor is useless. I suspect this is merely an oversight on their part, and that it just ends up looking bad when you view it from the outside. The only way to know is to see the source code and well, we know how likely that is.
A real backdoor would be something remotely exploitable via the network, as opposed to hiding inside a file or something like that.
"I want to get more into theory, because everything works in theory." -John Cash
In my not so humble opinion, you don't know what you are talking about. Go read some of the links in that site, and you'll see that Steve Gibson is one of the many "security experts" that have no clue but gives dangerous and very wrong "solutions".
Overlooking that Wine has innadverdantly re-created this 'back door' by following the API spec. This is all by (poor) design, no code back doors involved. Not even a bug, per say, since it's working as designed.
Like that'd be a tough thing to do...
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Actually, it's pretty well known that that isn't what happened at all.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
"Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?"
I know of at least two. Both Sun and HP still provide support or patches for versions of UNIX System V that are older than Windows 98.
First you have to understand what the ramifications of this are likely to be.
The NSA is (in theory at least) legally forbidden to spy on Americans. Their main mission involves cryptoanalysis (codebreaking) and signal intelligence. So they spend a lot of time in foreign countries evesdropping on cell phone calls and the like. They have also been very much involved in the development of computerized cryptography (witness their role in the creation of DES). In this latter case, they have probably attempted to balance their interests in codebreaking with the legitimate interests in algorythmically secure encryption (i.e. make DES algorythmically secure, but shorten the key so we can break it if we really have to).
The rise of independant professional cryptography organizations, like RSA, Inc. has created a very serious problem for the NSA in this regard. In general, most of these new systems use variable length keys and are highly peer reviewed for attack potential. So the NSA cannot count on being able to brute force decrypt a document within a reasonable timeframe in the event of a clear and present need to decrypt the information.
Therefore, I believe that most of these are there to allow the NSA to bypass the encryption algorythms in Windows and allow them to access the information without having to attack the encryption. This would make reasonable sense given the NSA history.
Now, I see *no* reason to suppose that the NSA has anything to do with the WMF exploit. Instead, I suggest that this is likely to be a backdoor either put in place by a developer, at the request of a partner (such as the RIAA), etc. This backdoor has *nothing* to do with anything the NSA typically gets involved in, so I think even the most paranoid analysis can rule them out. Instead, this is just a strange attempt to allow the Media Player to be subverted and used in what ever way an attacker decides.
Now, Microsoft's response to this has been inadequate (they only grudgingly developed a patch), which suggests that this backdoor had the blessing of the company, much like the response to the Sony DRM rootkit which was undetected by agreement with First4Internet. Lest I appear to be too hard on Microsoft, I found Symantec's response ("Oh, we will start removing it" when First4Internet claims they were working with Symantec to ensure that it would not be removed) to be far less trustworthy.
Anyway, there is enough doubt in my mind about Microsoft's goodwill on these areas that I would not suggest running Windows in any environment that absolutely requires security. The system has fundamental design flaws from a security point of view, and these problems continue to underscore either serious development issues at Microsoft or an attitude that the security of the customer is not really that important.
LedgerSMB: Open source Accounting/ERP
The Wine bug was a different bug. The SetAbortProc record specifies a pointer to a function which will be executed at a later point, and which it would be difficult to set to arbitrary code in the WMF itself, whereas this bug appears to be creating a thread which immediately runs starts executing the instruction at the next byte in the meta file.
It might have been convincing if it were true. The vulnerability checker from Ilfak Guilfanov's site uses length==17 to trigger the exploit (Look in the wmfhdr.wmf file in the source zip. The length is a little-endian DWORD at offset 0x12.)
The Metasploit module uses a length of 4. Check out the following snippet:
#
# StandardMetaRecord - Escape()
#
pack('Vvv',
# DWORD Size;
4,
# WORD Function;
int(rand(256) << 8) + 0x26,
# WORD Parameters[];
9,
). $shellcode .
I think Steve Gibson is confused.
Furthermore, if Gibson is so sure of himself, why isn't his own test utility available to everyone?
Eh? I just downloaded it, it's linked to from here.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Actually, Bruce Schneier's analysis is somewhat different.
K eyinMicrosoftCryptoAPI
http://www.schneier.com/crypto-gram-9909.html#NSA
The fact is, the majority of the people making claims about this don't even understand what it does. The majority of the speculation isn't possible. It doesn't give anyone (Not even Microsoft, much less the NSA) a backdoor into your computer.
If you need web hosting, you could do worse than here