Slashdot Mirror
WMF Vulnerability is an Intentional Backdoor?
An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
This does look awfully like a special-case trigger. The idea of a backdoor is to have it look for a specifically crafted but completely nonsensical and invalid input sequence -- this serves as the "key" to the backdoor, ensuring that no other designer or user accidentally stumbles onto it. Since we assume that legitimate users and developers will only provide valid input, we design our "key" to be definitely invalid. For me, that length==1 trigger is the most convincing evidence. It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.
Maybe this was for law enforcement or some other agency to track "people of interest."
A lawsuit is not the answer to everything.
The Blaster Master Fighting for Truth, Justice, and Evil Pie since 1979
I agree with the author that the length prefix is something of a smoking gun. It begs the question of "how do we know it was fixed..." For example, they could change it to execute the datastream when length is set to a new trigger value; or a stronger backdoor would ignore any unsigned code. Still there, but harder to test for.
It's a straightforward way to add a backdoor that will bypass firewalls, etc. It can be triggered by a browsed page, email, etc. It's better than gif/jpeg encoding because those are more "platform independent." and the payload would be more likely noticed by a 3rd party decoder.
On the other hand, isn't this flagged as an attempt to execute code on a data page?
Also, if it were official, doesn't MS have easier ways into a general box - say through security updates, or even the entire existing code base?
Actually, I think Microsoft will go after Gibson's reputation.
It's nothing like that actually, you are comparing apples to supernovas.
~S
For me, that length==1 trigger is the most convincing evidence.
I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.
I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.
And of course it's still possible that it was all a mistake. The C language can be used to write some extremely tangled code, if one is so inclined. Something like an incorrectly used setjmp/longjmp could have effects like this.
This seems to be only useful if MS itself wanted to use it. Use your imagination as to what they'd do with it. I can think of all kinds of things.
"terrorism" and "pedophilia" are the root passwords to the Constitution
If it were intentional you'd think they would have been able to patch it a little more quickly.
Who writes an evil backdoor, which dates back to Win3.1 days (when you didn't NEED an evil back door, and Windows had no clue what this Internet thing was about), and then DOCUMENTS it?
Lest we forget that Wine also proved vulnerable, and it was a clean-reimplementation of the specs!
Test your net with Netalyzr
It seems to me Microsoft could use it to get into every box using IE that contacts msn.com
That's got to be at least a few.
I imagine they could just turn this into a wmf file and run whatever code they want on millions of PCs.
Of course Windows is the dominant corporate operating system in the U.S., and there are far more intelligence agencies around the world who engage in corporate espionage than just the NSA/CIA (actually, the U.S. is probably behind in corporate espionage compared to say the Chinese or French - we are too worried about terrorist or whatnot). The idea that the NSA/CIA would encourage something that would be used against Americans by foriegn powers as much or more than against the "enemies" of the U.S. makes the story seem more like conspiracy theory / urban legend.
The name means nothing. It's the facts that matter. Whether he is a one-day hacker or some looney, he discovered that for Length==1, (a completely invalid value that makes no sense for WMF's), Windows creates a new thread and starts executing the code.
IMHO your "debunking steve gibson" site is nothing but a smokescreen to divert the attention from Microsoft's vulnerabilities and backdoors.
"A lawsuit is not the answer to everything."
Since profit is all a corporation cares about, suing away those profits is the only way to punish it.
$8.95/mo web hosting
You know,
Even if SG is a flaming idiot, that doesn't mean he isn't or can't be right. Even a stopped clock has the right time twice a day, as the saying goes. Crank or not, he could be on the money in this case and since those who have read the article seem to think he is on to something at least worth looking at... it seems ignorant to just dismiss him outright.
This is what is called having an open mind.
--SD
"Computers will never truly be free until the last windows user is strangled with the entrails of the last mac user."
Yes, because it's impossible for an identical problem to exist in WINE, and therefore open source solves all problems.
Breaking Into the Industry - A development log about starting a game studio.
I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.
- How about a totally stupid idea that MS thought was good?
I mean MS has a long history of ignoring security for usability, lock in and whatnot. WMF dates back to close to 10 years, back when MS really didn't give a damn about security. Even after a the big Gates propaganda email and Trusted Computing Initiative and all the hoopla, XP SP2 allows blank passwords for administrators, the user created during installation is an administrator, again if password is blank no one gives a shit. Remote registry is on by default. RPC on by default. Administrative shares are on by default. Not to mention a plethora of completely useless services.
MS just doesn't understand security. This WMF example is nothing different. It's some ancient code that never got looked at. Add to that the fact everyone and his mother is root, AND that the OS is a big bowl of spaghetti (hi2u IE deep in kernel), you get another attack vector vs Windows systems.
Did someone maliciously implement this WMF "feature"? I doubt it. It looks like another regular MS security hole that shows that MS has no clue about security.
"terrorism" and "pedophilia" are the root passwords to the Constitution
There was a time in the history of slashdot when this would have been dissected in terms of a technological perspective. Now we just have anyone who is offended with Gibson attacking him. I have to wonder how many script kiddies are the base of the anti-Gibson press, because regardless of his state of mind, he has contributed more to system security than anyone who is flaming him.
Uh, no, how about not buying its products?
If you buy a cell phone and decide the interface is sucky, you don't punish the company by suing them. You punish the company by buying another brand next time.
This space intentionally left blank.
A lawsuit is not the answer to everything.
Too true.
This is a case for criminal prosecution. Gibson has uncovered evidence that at face value demonstrates that there has been a conspiracy to defraud Windows users, and possibly to defraud Microsoft Corporation itself. Microsoft's internal documents would identify the coder(s) involved in this deceit, and possibly other conspirators.
I think it is time for the Washington State Attorney General to give this to a Grand Jury. (IANAL, but I think it is the business of a Grand Jury to determine if a crime has been committed in this kind of circumstance).
Let a Grand Jury hear this evidence and decide whether it appears that some person(s) deliberately set out to violate the privacy of Windows users.
This looks weird but it still needs more research, especially given Gibson's somewhat dodgy reputation.
1 as an input value is one of those classic boundary conditions that developers should always specifically test against (but sometimes don't...along with 0, negative numbers, MAX_whatever, etc)...so I'm not convinced that it was just a coding error. If the "magic key" length was something completely random like 6385492, then I would be more suspicious.
C'mon MS...let's see the code!
Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.
The stories Allied soldiers were told about the nazis paled in comparison to what they saw in the camps. Allied propagandists didn't have the imagination to come up with anything like the holocaust.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
"terrorism" and "pedophilia" are the root passwords to the Constitution
However, there are a few very specific ways in which you would write code to deliberately look for that specific value in a specific portion of an operation. These ways can be checked by inspecting a disassembled version of the code. (But do this outside of the US, or the DMCA droids will Use The Force.)
Since WINE shows the same hole and the coders are not the same, it would be my guess that the problem is specifically in a DLL that is used/usable by both. It should also be possible to massage WINE to fire up a disassembler with the correct entry point into the DLL that has the hole, when passing the exploit payload. It might take a while (I suggest getting a few month's supplies in advance), but it should be possible to determine exactly where the exploit is, whether it looks "natural" or not*, and whether that specific section of code is likely called by other graphics routines.
*A "natural" bug could include a series of conditionals and jumps, where the 1 is simply the untested case that falls into random code. An "unnatural" case would be to test specifically for 1 and to jump in a different way than for other cases. (eg: If other cases jump to subroutine, and 1 does a one-way jump OR on return is the sole case that jumps over all error conditions.) If that one case has an abnormal test and an abnormal jump, it would be next to impossible for it to be accidental.
Actually, it might be useful against Microsoft in their appeal over the EU ruling. The EU ruling demands greater transparency of protocols and code, and demands code be uninstallable by someone. The politicians might not care much about the exploit, even if it were deliberate, but I'd be willing to bet the EU's lawyers would. Even if Microsoft as a corporation were innocent (yeah, right), it demonstrates a valid legal concern that cannot be resolved using totally closed, airtight methods.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I can't believe even on Slashdot that drivel like this was moderated +5 insightfull. That you even consider a software exploit even remotely close to Nazi concentration camps shows us that you have a very poor understanding of the scale of tragedy. You should be ashamed of yourself.
He's not going to have his clearance for very long if he goes around bullshitting his buddies about the NSA's sources and methods. If you've got a real citation for this, serve it up. Otherwise, you're just one more uncleared idiot pretending you know what's going on at Ft. Meade.
It's a ten year old or so vulnerability. It predates DRM, so I doubt it was built for that originally. Sure, it may have DRM uses, but it couldn't have been made for DRM.
That we know of that is. This has been lurking about in every version of windows since 95, right? And it's taken until now to be brought to light. How many other similar seemingly innocent bits of code in those millions of lines of legacy windows code do similar things? The question is not what can this exploit do on its own, but what can it do in concert with others that may exist? OK, so maybe I'm giving MS or the rogue programmer, or whoever did this (length==1 check and seperate thread would imply it's not a mistake) too much credit, but if whoever did this was very clever they might have implemented a waterfall backdoor of sorts. In other words there's two or three exploits that when used in concert spell pwnage for almost any windows box. I'm willing to bet there's more here that hasn't been found yet. I'm also betting, along with others, that MS will not accpet responsiblity, nor even point the finger at a programmer or contractor/company to take the fall because that would also make them look completely unsecure. How many programmers have contributed to windows code over the years? And MS would be admitting they don't have knowledge of any backdoors those programmers may have introduced? No, more likely as Benanov (583592) suggested, MS will simply try to smear Gibson as someone with a vendetta and/or crackpot/idiot and try to downplay the whole thing as it has been.
This is exactly why closed source is dangerous. Even security through obscurity is useless when the code holders don't know what's in their code. Open source may have similar problems, but at least there's plenty of people looking, and plenty who will be motivated to correct an issue when it's found instead of trying to pretend like it never happened. Which includes the issue of whodunnit and how to stop that from happening again.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Actually, Gibson is saying he doesn't know if previous versions are exploitable or not. In fact he's counting on not, since that's the only way to determine when the "backdoor" was inserted. Gibson is a bomb thrower. There's no evidence other than his opinion that this is a deliberate backdoor.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
If this is an intentional backdoor, it is the crappiest one, EVER!
You'd want something in the base system of ALL Windows version, which couldn't be disabled AT ALL, doesn't require a user to be logged-in as an admin, or stupid enough to open anything sent to them.
If I was making a backdoor, I'd put it in something basic... Have the IP stack open a port when recieving a specially-crafted packet. Have the filesystem driver silently execute a file if it find a special signature in it (eg. code embedded in a cookie/web-page), etc.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
It's not really a rootkit as there's no immediate root access, you just get to execute code as the user who views the file. Though with windows there's not that much difference.
I am trolling
Not only that, but my understanding is that the relevant WMF functions date back to the Win3.0 era (maybe Win2.0, not sure -- the earliest date I've seen was 1991) and in any event, long before M$ had much of a clue about the internet. And long before OS "back doors" became a common worry, too. M$ simply doesn't plan that well when it comes to how stuff is used/affected by an OS, and in fact tends to come late to the bandwagon.
Furthermore, if Gibson is so sure of himself, why isn't his own test utility available to everyone? (Apparently it was only available to Laporte's listeners... not likely to be the most unbiased audience.)
Net result: I knew Gibson's tinfoil hat was a trifle snug, but now I'm sure it needs a complete refitting.
~REZ~ #43301. Who'd fake being me anyway?
Most Windows computers at one point have connected to Windows Update, also IE defaults to MSN, isn't there a getting started page as well when you first open IE after install?
It's just simple observation to say that the only site that would be consistent on every Windows system is a Microsoft site, somewhat how on my mac I am connected to apple after a clean install when I open Safari. One could say the only site that would be consistent on every mac would be apple.com.
-PS I don't think it was an intentional backdoor.
Get a clue, troll-
If you're going to accuse someone of trolling, you want to be pretty sure about your facts.
if you have a blank admin password, XP prevents ANY remote network access using that account.
Hmmmn, thats an interesting band-aid.
You are actually more secure with a blank password.
Really? More secure with a blank password? I doubt it.
Would make privilige escalation pretty damn easy after you'd hacked a user account.
And it makes all that least priviliged user stuff that MS goes on about a little irrelevant too.
My pics.
But that's true of anything. Just because it was designed for X doesn't mean someone can't modify it to do Y. So why the WMF function in particular? What ADVANTAGE does it have as a back door, that other more-convenient exploits can't offer?
;)
And considering how old is the code in question, why hasn't any exploit for it ever been seen in the wild? Surely Gibson is not the only person poking into obscure corners of Windows.
I'm reminded of how malicious code can be embedded in the comment field of GIFs, and executed by an accomplice program... that exploit was never seen in the wild either, but has been known about for as long as GIFs have existed. Was it part of a grand conspiracy to force us all to subscribe to Compu$erve??
~REZ~ #43301. Who'd fake being me anyway?
You need plausable denyablity.
I.e. the back door has to look like enough like a bug that finding it won't cause people to immediately realize that you're installing back doors intentionally.
Something like a buffer overflow in the TCP stack that only happens with packets of an exact size (off by one in some checking routine.)
I'm not quite sure why they'd want to use it. End-users already trust Microsoft implicitly because they made the operating system, so if they wanted to, for instance, install some software on all Windows machines that reports home if it detects a pirated copy, they could just do it through a service pack update. Most people would willingly install it (or click the little automatic button in Windows Update), and there'd be none of this Tom Clancy technothriller intrigue.
I can't personally think of any kind of official reason why Microsoft would want to shove code onto Windows machines just from visiting their website. They've got tons of other ways of doing this.
Instead of tearing me a new one with accusations, why don't you educate me with your knowledge of crypto by putting forth some examples?
"I'm just here to regulate funkiness."
The only sites that all windows machines access on a regular basis are Microsoft's.
I assume that you're thinking of Windows Update, but at a guess I'd imagine that most (recent) Windows machines get most of their updates via automatic updates, or not at all. I'd be very surprised if "all Windows machines" visit any given site on a regular basis.
(In fact it's trivially easy to disprove your assertion - I have access to 3 XP machines, and none of them visit any of MS's sites on anything approaching a regular basis, but that's beside the point)
This seems to be only useful if MS itself wanted to use it. Use your imagination as to what they'd do with it. I can think of all kinds of things.
I can't think of a single thing that would be worth it. An attack like that would be discovered and traced back to them, and they'd be crucified for it. Unless they could achieve their aim before that happened, there'd be no point, and short of taking over the world, I can't think of anything that would be worth it. Even if they could think of a way to make money using it, the courts would sieze it all anyway.
It's official. Most of you are morons.
You obviously did not RTFA or you would know that he isn't sure of himself- he has only worked/looked at this a total of one day and happened to bring it up on the podcast, He has a;lso stated NUMEROUS times that it SEEMS to be a bacvkdoor, but until he has a chance to work at this longer to find out- it appears to him to have no toher function he can see AT THIS TIME. (no, I am not going to link to these statements- RTFA!). Second, you must not have put any effort into finding his tool- it took me about 30 seconds to find the link to it- since you are so web challenged, here is the tool:(http://www.grc.com/sn/notes-022.htm) How any of you calling Steve "bombthrower" (and similar) got modded anything other than flamebait or troll is beyond me- obvious from your comments you did not RTFA and the /. modders are not paying attention I guess.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
2) NT, and especially Win32 is written almost entirely in C++. Ever try to do self modifying code in C++?
.NET runtime can all link to the same libraries, they all support C exports. There are no separate versions of libraries like user32.dll and gdi32.dll for VB, C, C++, etc . .
.NET world. Any application, no matter where it was written, or in what language, if it runs on Windows it will at sometime end up in CreateWindowEx() (actually CreateWindowExA or CreateWindowExW) in user32.dll.
= /library/en-us/winprog/winprog/functions_in_alphab etical_order.asp
I get the feeling you don't spend your days mired in Win32 application coding. The Win32 libraries are all written in C, not C++. This is why different languages such as C, C++, VB, and even the new
And oh yes, don't think that MS is re-implementing CreateWindowEx() (in user32.dll) in the
Take a look at the actual Win32 API
http://msdn.microsoft.com/library/default.asp?url
See any classes in there?
ENOUGH. Gibson was right about raw sockets.
After the relentless pounding and smearing of Gibson, Microsoft quietly disabled the raw sockets code, whatever the hell it was.
Gibson was right. They fixed the problem. He was right, The Reg was wrong.
Jesus, it's like arguing with 20,000 Bill O'Reilly's. Truthiness! Gibson is a maaaaadddmaaaannn!
And since people rarely followup to what they think is truthy, they missed the fact that the only reason the Raw Sockets disaster didn't happen is because MICROSOFT QUIETLY FIXED THE PROBLEM, JUST. LIKE. GIBSON. SAID. THEY. SHOULD.
And as for being a top security professional, something he never claimed to be - he's a developer - what makes you all think that the very best security people at the NSA and Microsoft don't already know all about the exploit, because it's one of the many that they placed there in the first place?
Listen, everyperson, Microsoft has cooperated with Justice, the FBI, the NSA and all the other alphabet boys since the beginning. Windows and Office are monitored at will, you can bet your last god damned dollar. Can you imagine MS refusing to cooperate, especially during a ten year monopoly trial??
(originally posted as AC because I'd moderated; however, even posting as an AC, the code retroactively undid my moderation. Didn't know that would happen. A little warning, Slashcode?)
(Defending Microsoft - only on Slashdot. Ok, so some monkees tapping on a keyboard while the programmer wasn't looking snuck this code in ;)
First of all, Gibson is no bomb thrower, he's uncovered some pretty serious security issues with Microsoft. I'd suggest reading his web site - he's a very thorough person, and doesn't make any wild unsubstantiated, naive, biased claims, like, say, Slashdotters. He's a long time Windows user, not a Mac fan, nor an open-sourcer (at least until recently, for reasons like this)Now, to quote the transcript, curious where you would even be able to make the claim that that this *isn't* a backdoor:
Yeah, he's saying this is a deliberate backdoor. Listen to the article or read the transcript, then think about it a little. Now, he's not saying *what* Microsoft put this in for. Did someone put this in for testing -that's my take, from a programmer perspedctive but .. who the heck knows. That's sorta the problem with proprietary software, we might never know. Buyer beware.