Slashdot Mirror

← Back to Stories (view on slashdot.org)

WMF Vulnerability is an Intentional Backdoor?

Posted by Zonk on from the take-with-a-grain-of-salt dept.

An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.

20 of 788 comments (clear)

  1. I would not be suprised at all. by AltGrendel · · Score: 4, Interesting
    I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.

    Its happened before and it will happen again. Whether this is the case remains to be seen.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

  2. Government backdoor? by Jerry_Duplicate · · Score: 5, Interesting

    There was talk about the NSA/CIA having a close relationship with Microsoft and being able to exploit backdoors in Windows. This could have all been conspiracy theories, but the fact that this vulnerability existed throughout the Windows line kinda seems odd..

    If this isn't a glaring example on why you should support open source, I don't know what is....

    1. Re:Government backdoor? by Dystopian+Rebel · · Score: 5, Interesting
      but the fact that this vulnerability existed throughout the Windows line kinda seems odd.


      The function in question has existed for a long time. The exploit is in Windows 2000 and more recent. From the transcript:

      But the only conclusion I can draw is that there has been code from at least Windows 2000 on, and in all current versions, and even, you know, future versions, until it was discovered, which was deliberately put in there by some group, we don't know at what level or how large in Microsoft, that gave them the ability that they who knew how to get their Windows systems to silently and secretly run code contained in an image, those people would be able to do that on remotely located Windows machines...
      --
      Rich And Stupid is not so bad as Working For Rich And Stupid.
  3. do you mean by Anonymous Coward · · Score: 4, Interesting


    This Steve Gibson ?, yeah he is a real security expert, along with his podcast boy wonder we have much to be afraid of

  4. Possible uses? by Kitsune78 · · Score: 4, Interesting

    The freakish thing about this, is that if it is indeed a backdoor, it an odd way to go about it. You can't force someone to try to view a WMF. What would its purpose be? You can't use it to get into the exact box you want to, just into a random box that perhaps picks up your WMF from a webpage, or displayed in an application.

    1. Re:Possible uses? by RexRhino · · Score: 4, Interesting

      Digital Rights Management... If you can control a box using a WMF file, there is all sorts of digital rights management mischieve you can do to prevent a machine from copying a file, or decoding a file, or whatever.

  5. Lawsuit time by Animats · · Score: 5, Interesting
    Someone involved in a WMA-related lawsuit needs to subpoena, from Microsoft, all the source code and all the change control information for this small part of Windows. Then the original programmers need to be found and deposed under oath. This is standard legal procedure for something like this.

    It's possible to get to the bottom of this by legal means.

  6. Magic Lantern? by Tackhead · · Score: 4, Interesting
    Sometimes even a blind squirrel gets a nut.

    The notion of a backdoor in Windows isn't new. Perhaps the WMF vulnerability was one of the vectors used by Magic Lantern, which was the code word for at least one of the FBI's keylogger programs. Magic Lantern was notable in that antivirus providers participated with the Feebs in a gentleman's agreement to not look for it.

    It's certainly a dumb enough solution that the IT-challenged FBI might go for it.

    On relative dumbness and smartness, I'd expect smart spies, namely those who work for two other notable three-letter-agencies, to use somewhat more interesting techniques. If it were me, I'd take advantage of equipment I had in place at critical infrastructure points to conduct MITM attacks between a PC and Windows Update servers, in order to transparently install my spookware on only those machines that specifically identify themselves - by means of GUID or whatever other stuff I could glean from the Windows Genuine Advantage and other DRM-related bitstreams - as belonging to my target population.

    Paranoid? If you're not paranoid, you're not thinking far enough ahead.

  7. What about wine? by Meltr · · Score: 3, Interesting

    I thought the same vulnerability exists in wine?

    http://it.slashdot.org/article.pl?sid=06/01/06/204 3203

  8. Re:Length==1 by atfrase · · Score: 5, Interesting

    Agreed, it doesn't seem like the kind of "feature" that was designed in top-secret MS design documents or developed in meetings.

    But I still have a hard time seeing how code would *accidentally* behave like this. An invalid length should abort processing right off the bad, for one thing; "falling through" might be an explanation, but what possible code could be "fallen through" into that would set CPU execution *inside* the metafile -- moreover, would set CPU execution to the *next byte* after the erroneous header block. That's awfully convenient; if it were a mistake, I'd expect code execution to begin at some other random location, probably influenced by whatever happened to be in the register or some temporary pointer variable at the time. But the very next byte? That's too insanely convenient -- you get to provide your key *and* your payload in the *same* place.

    You could argue that buffer overrun exploits do the same thing, but the idea of the buffer overflow is to specifically overwrite the function-return pointer to *make* it point at your code. In this case, the exploit doesn't have to specify the location of the code to execute, Windows does that for you. Too convenient.

  9. Re:Length==1 by Shimmer · · Score: 3, Interesting

    You're right, of course. Everyone who's saying this is "obviously" intentional are jumping the gun in a big way. I've got $5 right here that says it's an accident.

    "Never ascribe to malice that which is adequately explained by incompetence."

    --
    The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
  10. Re:Steve Gibson is a crackpot by Moby+Cock · · Score: 4, Interesting

    Normally I'd agree with you. But in this case I think he may have found something very important. This WMF flap stinks to high heaven. The fact that there seems to be a specific and deliberate key (length == 1) is very disturbing. Gibson is a wacko and doomsayer, but today he may have found something valid.

  11. Why hasn't he stepped into the WMF interpreter? by criznach · · Score: 5, Interesting

    My question is this... If the guy is smart enough to know that windows has kicked off a thread and executed his code, and he's smart enough to experiment with buffer-overflow exploits, why hasn't he stepped through the WMF interpreter code? Could it be that he doesn't want to admit that he has for legal reasons? I know that if I had discovered this problem, that's just what I would do. Call DebugBreak() and you have a call stack. You'd think that the handler for this SetAbortProc function would be pretty identifiable. So... Who's got the balls (or the time, in my case) to do it? That's our answer. Chris.

  12. Think about it like a programmer by RingDev · · Score: 5, Interesting

    Code encounters escape character

    exit standard processing

    encounter SetAbortProc

    open thread to communicate with windows print manager

    thread attempts to read [length] bytes for sub value, encounters overrun

    this is where I'm guessing the real horrendous problem lies. I'm guessing that the original code ignores exceptions while pulling in the sub value, so in this case where code hits an overrun, instead of that sub value getting a few bytes of data, it just graps until . In this case that sub value winds up being the payload.

    So there you go, key and payload on an independent thread because of a bad exception handler in a 12 year old block of code.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  13. still in use by Anonymous Coward · · Score: 5, Interesting

    The 98 series and NT4 are still in widespread (millions and millions) use. This is called a "problem" then. The auto industry in the US tried to pull this stunt of obsoleting and stopping support for their products in short time frames (sometimes within the SAME model year!) and got legally smacked down for it. Now they are required to provide replacement parts for ten years. Just because normal business productlaws and warranties aren't applied to software-yet, and they certainly should be-doesn't mean it wouldn't be a good idea. Planned obsolesence and forced upgrades might be a spiffy way for some corps to extract a lot more dineros from your wallet, but it doesn't mean it's a good idea for you the consumer/end user...unless you are a pure "caveat emptor" anything-goes styled capitalist. Thankfully, most people see the illogic in that sort of system and that is why we have evolved some consumer protection laws. It is not a perfect solution, but it is light years ahead of legalised snakeoil like it was before. Eventually these sorts of laws will be applied to software,because even the dullest clicker is starting to bingo to the fact that most of this forced upgrade stuff is a cash cow dodge.

  14. Reflections on Trusting Trust by Mr+Z · · Score: 5, Interesting

    I'm surprised nobody's trotted out Reflections on Trusting Trust, by Ken Thompson. Not only does this discuss a backdoor, but also a backdoor that can't be found by examining the source code.

    --
    Program Intellivision!
  15. But wait, there's more... by IPFreely · · Score: 4, Interesting
    It that is all it was, then the the same thread would jump into the user code. But wait...

    I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code.

    So, it accidently created a new thread, and directed the new thread to start executing code at the specific position? That's a whole different level of accident.

    Oh, and Shimmer, I'll take that 5$.

    --
    There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
  16. (OT) Re:Unparalleled BS from MS. by Tired_Blood · · Score: 3, Interesting

    The problem encountered by those reporting on the concentration camps was that in the FIRST world war, everybody got exposed to extreme propaganda depicting all germans as vile creatures. When the exaggerations and lies were brought to light, the public had then learned to seriously doubt such extreme accusations. It could be argued that when the reports from Jan Karski (an eyewitness to the ghetto and concentration camp conditions) were dismissed, it was due to that legacy of doubt in 1943.

    The reporting during WWI damaged the credibility of all reporting during WWII.

    jcr (53032): Allied propagandists didn't have the imagination to come up with anything like the holocaust.

    They most certainly did have the imagination, but they realized that they did not have a willing audience for such accusations. Successful PR cannot be had with seemingly wild claims, especially if the organization has been shown to greatly overexaggerate in the past.

    --
    This is not my sig.
  17. Re:Another? by JourneyExpertApe · · Score: 3, Interesting
    Because, you know, if the NSA did have a secret backdoor, they'd make sure is was called NSAKEY, in case they forgot where it was, or something.

    Stranger things have happened. When a German law enforcement agency forced the developers of JAP (Java Anon Proxy) to put a backdoor in it, they put in code like:
    if(crimeDetected) {
    object->logCrime(...);
    }

    And it was an open-source project. Someone later admitted that they were kind of hoping that somebody would notice it, because they didn't think they could legally expose it themselves. Maybe someone at Microsoft didn't think it was right for the NSA to install a back door, and they had a conscience. Wait, what am I saying? This is Microsoft!
    --
    If you can read this sig, you're too close.
  18. MSRC responds: Intentional Back door? um no. by Stepto · · Score: 3, Interesting

    We've blogged about this already providing the background of the bug:

    http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx

    I emailed Zonk about it but I don't think he's had a chance to update the posting.

    Long story short the idea that this is intentional rests on the premise that only an incorrect value produces the vuln. That is totally wrong, both correct and incorrect values trip the vulnerability. Besides doesn't it seem odd to create a backdoor that would require the user to first visit a website? What, were we going to take out a superbowl ad suggesting people visit www.microsoft.com so we could...uh...what exactly?

    S.

    --
    http://www.stepto.com