WMF Vulnerability is an Intentional Backdoor?

An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.

Re:Length==1

[atfrase]

Basically, in the header block for a unit of WMF script contains a "length" field which specifies how long the current unit is. This is standard for this sort of file, and is the primary way to avoid buffer overruns (if you force the data to tell you how big it's supposed to be, and then double check that while reading, you make sure you have enough buffer space to store it all -- otherwise you might read too much, overrun the end of the buffer and trash an important function pointer or something..)

In this case, the smallest possible "length" value is 6, because the header itself takes 6 bytes, so even if the unit had no actual data, the length field itself and the unit's command code is a minimum of 6 bytes.

To trigger the exploit, the length must be set to 1. Not 2, 3, 0, or some other equally invalid value, but only the value "1". Any other value has no effect at all.

Sun and HP for two

[Secrity]

"Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?"

I know of at least two. Both Sun and HP still provide support or patches for versions of UNIX System V that are older than Windows 98.

Re:Steve Gibson is a crackpot

[RShearman]

The Wine bug was a different bug. The SetAbortProc record specifies a pointer to a function which will be executed at a later point, and which it would be difficult to set to arbitrary code in the WMF itself, whereas this bug appears to be creating a thread which immediately runs starts executing the instruction at the next byte in the meta file.

Re:Length==1

[StarDrifter]

For me, that length==1 trigger is the most convincing evidence.

It might have been convincing if it were true. The vulnerability checker from Ilfak Guilfanov's site uses length==17 to trigger the exploit (Look in the wmfhdr.wmf file in the source zip. The length is a little-endian DWORD at offset 0x12.)

The Metasploit module uses a length of 4. Check out the following snippet:

    #
    # StandardMetaRecord - Escape()
    #
    pack('Vvv',

        # DWORD Size; /* Total size of the record in WORDs */
        4,

        # WORD Function; /* Function number (defined in WINDOWS.H) */
        int(rand(256) << 8) + 0x26,

        # WORD Parameters[]; /* Parameter values passed to function */
        9,
    ). $shellcode .

I think Steve Gibson is confused.