Slashdot Mirror

← Back to Stories (view on slashdot.org)

WMF Vulnerability is an Intentional Backdoor?

Posted by Zonk on from the take-with-a-grain-of-salt dept.

An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.

21 of 788 comments (clear)

  1. NSA by Anonymous Coward · · Score: 5, Funny

    Well, how else is the NSA going to fight terrorism?

  2. Government backdoor? by Jerry_Duplicate · · Score: 5, Interesting

    There was talk about the NSA/CIA having a close relationship with Microsoft and being able to exploit backdoors in Windows. This could have all been conspiracy theories, but the fact that this vulnerability existed throughout the Windows line kinda seems odd..

    If this isn't a glaring example on why you should support open source, I don't know what is....

    1. Re:Government backdoor? by Dystopian+Rebel · · Score: 5, Interesting
      but the fact that this vulnerability existed throughout the Windows line kinda seems odd.


      The function in question has existed for a long time. The exploit is in Windows 2000 and more recent. From the transcript:

      But the only conclusion I can draw is that there has been code from at least Windows 2000 on, and in all current versions, and even, you know, future versions, until it was discovered, which was deliberately put in there by some group, we don't know at what level or how large in Microsoft, that gave them the ability that they who knew how to get their Windows systems to silently and secretly run code contained in an image, those people would be able to do that on remotely located Windows machines...
      --
      Rich And Stupid is not so bad as Working For Rich And Stupid.
  3. Length==1 by atfrase · · Score: 5, Insightful

    This does look awfully like a special-case trigger. The idea of a backdoor is to have it look for a specifically crafted but completely nonsensical and invalid input sequence -- this serves as the "key" to the backdoor, ensuring that no other designer or user accidentally stumbles onto it. Since we assume that legitimate users and developers will only provide valid input, we design our "key" to be definitely invalid. For me, that length==1 trigger is the most convincing evidence. It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.

    1. Re:Length==1 by atfrase · · Score: 5, Interesting

      Agreed, it doesn't seem like the kind of "feature" that was designed in top-secret MS design documents or developed in meetings.

      But I still have a hard time seeing how code would *accidentally* behave like this. An invalid length should abort processing right off the bad, for one thing; "falling through" might be an explanation, but what possible code could be "fallen through" into that would set CPU execution *inside* the metafile -- moreover, would set CPU execution to the *next byte* after the erroneous header block. That's awfully convenient; if it were a mistake, I'd expect code execution to begin at some other random location, probably influenced by whatever happened to be in the register or some temporary pointer variable at the time. But the very next byte? That's too insanely convenient -- you get to provide your key *and* your payload in the *same* place.

      You could argue that buffer overrun exploits do the same thing, but the idea of the buffer overflow is to specifically overwrite the function-return pointer to *make* it point at your code. In this case, the exploit doesn't have to specify the location of the code to execute, Windows does that for you. Too convenient.

    2. Re:Length==1 by atfrase · · Score: 5, Informative

      Basically, in the header block for a unit of WMF script contains a "length" field which specifies how long the current unit is. This is standard for this sort of file, and is the primary way to avoid buffer overruns (if you force the data to tell you how big it's supposed to be, and then double check that while reading, you make sure you have enough buffer space to store it all -- otherwise you might read too much, overrun the end of the buffer and trash an important function pointer or something..)

      In this case, the smallest possible "length" value is 6, because the header itself takes 6 bytes, so even if the unit had no actual data, the length field itself and the unit's command code is a minimum of 6 bytes.

      To trigger the exploit, the length must be set to 1. Not 2, 3, 0, or some other equally invalid value, but only the value "1". Any other value has no effect at all.

    3. Re:Length==1 by StarDrifter · · Score: 5, Informative
      For me, that length==1 trigger is the most convincing evidence.

      It might have been convincing if it were true. The vulnerability checker from Ilfak Guilfanov's site uses length==17 to trigger the exploit (Look in the wmfhdr.wmf file in the source zip. The length is a little-endian DWORD at offset 0x12.)

      The Metasploit module uses a length of 4. Check out the following snippet:

          #
          # StandardMetaRecord - Escape()
          #
          pack('Vvv',

              # DWORD Size; /* Total size of the record in WORDs */
              4,

              # WORD Function; /* Function number (defined in WINDOWS.H) */
              int(rand(256) << 8) + 0x26,

              # WORD Parameters[]; /* Parameter values passed to function */
              9,
          ). $shellcode .

      I think Steve Gibson is confused.
  4. Lawsuit time by Animats · · Score: 5, Interesting
    Someone involved in a WMA-related lawsuit needs to subpoena, from Microsoft, all the source code and all the change control information for this small part of Windows. Then the original programmers need to be found and deposed under oath. This is standard legal procedure for something like this.

    It's possible to get to the bottom of this by legal means.

  5. Thread Creation by Lagged2Death · · Score: 5, Insightful

    For me, that length==1 trigger is the most convincing evidence.

    I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.

    I think the real giveaway here is that Windows creates a new thread when presented with this magic length. That's like rolling out the red carpet for the attacking Huns. I don't think the average buffer overflow type exploit gets it's own thread or process.

    And of course it's still possible that it was all a mistake. The C language can be used to write some extremely tangled code, if one is so inclined. Something like an incorrectly used setjmp/longjmp could have effects like this.

    1. Re:Thread Creation by atfrase · · Score: 5, Insightful

      I don't think it's surprising that a piece of code might behave in an odd way if it's given invalid input, i.e., if a buffer length is wrong.

      Again, agreed. But again, the catch is in the particular kind of odd behavior. If I were writing that code and it hit an invalid length, I'd probably abort processing of the whole file, presuming data corruption. Failing that I'd just skip over the flawed block and proceed with processing the next one. In that case, I could imagine not checking the length very carefully and just going to " + " to process the next block -- this would produce the observed "next byte" pointer.

      The problem is in the semantics: I said *process* the next block, not *execute* it. If anything this would just cascade into more error cases, since the data that was expected to be the "next block" would almost definitely also have a malformed header (since it wasn't intended to be a header at all), etc.

      So, I guess you're right - the tipoff is still that actual code is executed without having to be specifically pointed to (i.e. buffer overrun), and that it's executed in its own thread, rather than taking over the processing thread that was interpreting the metafile in the first place.

  6. Why hasn't he stepped into the WMF interpreter? by criznach · · Score: 5, Interesting

    My question is this... If the guy is smart enough to know that windows has kicked off a thread and executed his code, and he's smart enough to experiment with buffer-overflow exploits, why hasn't he stepped through the WMF interpreter code? Could it be that he doesn't want to admit that he has for legal reasons? I know that if I had discovered this problem, that's just what I would do. Call DebugBreak() and you have a call stack. You'd think that the handler for this SetAbortProc function would be pretty identifiable. So... Who's got the balls (or the time, in my case) to do it? That's our answer. Chris.

  7. Re:I would not be suprised at all. by dc29A · · Score: 5, Insightful

    I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.
    - How about a totally stupid idea that MS thought was good?

    I mean MS has a long history of ignoring security for usability, lock in and whatnot. WMF dates back to close to 10 years, back when MS really didn't give a damn about security. Even after a the big Gates propaganda email and Trusted Computing Initiative and all the hoopla, XP SP2 allows blank passwords for administrators, the user created during installation is an administrator, again if password is blank no one gives a shit. Remote registry is on by default. RPC on by default. Administrative shares are on by default. Not to mention a plethora of completely useless services.

    MS just doesn't understand security. This WMF example is nothing different. It's some ancient code that never got looked at. Add to that the fact everyone and his mother is root, AND that the OS is a big bowl of spaghetti (hi2u IE deep in kernel), you get another attack vector vs Windows systems.

    Did someone maliciously implement this WMF "feature"? I doubt it. It looks like another regular MS security hole that shows that MS has no clue about security.

  8. Think about it like a programmer by RingDev · · Score: 5, Interesting

    Code encounters escape character

    exit standard processing

    encounter SetAbortProc

    open thread to communicate with windows print manager

    thread attempts to read [length] bytes for sub value, encounters overrun

    this is where I'm guessing the real horrendous problem lies. I'm guessing that the original code ignores exceptions while pulling in the sub value, so in this case where code hits an overrun, instead of that sub value getting a few bytes of data, it just graps until . In this case that sub value winds up being the payload.

    So there you go, key and payload on an independent thread because of a bad exception handler in a 12 year old block of code.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  9. Re:Please not Gibson again... by NtroP · · Score: 5, Insightful
    Steve Gibson is not a security expert
    I'm not a security expert either. But if I came up with this evidence, how would that change the reality of the situation. The evidence stands on its own merit. His reputation has nothing to do with it. This is easily verifiable by anyone with at least his level of knowledge. It will be interesting to see what happens when other "real" experts start looking at this.
    --
    "terrorism" and "pedophilia" are the root passwords to the Constitution
  10. still in use by Anonymous Coward · · Score: 5, Interesting

    The 98 series and NT4 are still in widespread (millions and millions) use. This is called a "problem" then. The auto industry in the US tried to pull this stunt of obsoleting and stopping support for their products in short time frames (sometimes within the SAME model year!) and got legally smacked down for it. Now they are required to provide replacement parts for ten years. Just because normal business productlaws and warranties aren't applied to software-yet, and they certainly should be-doesn't mean it wouldn't be a good idea. Planned obsolesence and forced upgrades might be a spiffy way for some corps to extract a lot more dineros from your wallet, but it doesn't mean it's a good idea for you the consumer/end user...unless you are a pure "caveat emptor" anything-goes styled capitalist. Thankfully, most people see the illogic in that sort of system and that is why we have evolved some consumer protection laws. It is not a perfect solution, but it is light years ahead of legalised snakeoil like it was before. Eventually these sorts of laws will be applied to software,because even the dullest clicker is starting to bingo to the fact that most of this forced upgrade stuff is a cash cow dodge.

  11. Re:Another? by lgw · · Score: 5, Funny

    You mean the urban legend about an NSA backdoor? There was *never* any evidence of a backdoor, only a registry key named "NSAKEY" and a bunch of paranoid fantasy. Because, you know, if the NSA did have a secret backdoor, they'd make sure is was called NSAKEY, in case they forgot where it was, or something.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  12. Reflections on Trusting Trust by Mr+Z · · Score: 5, Interesting

    I'm surprised nobody's trotted out Reflections on Trusting Trust, by Ken Thompson. Not only does this discuss a backdoor, but also a backdoor that can't be found by examining the source code.

    --
    Program Intellivision!
  13. Sun and HP for two by Secrity · · Score: 5, Informative

    "Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?"

    I know of at least two. Both Sun and HP still provide support or patches for versions of UNIX System V that are older than Windows 98.

  14. Re:I would not be suprised at all. by QuietLagoon · · Score: 5, Funny
    The only sites that all windows machines access on a regular basis are Microsoft's.

    I presume you are willing to show the details of your extensive research that determined this factoid....

  15. Re:Steve Gibson is a crackpot by RShearman · · Score: 5, Informative

    The Wine bug was a different bug. The SetAbortProc record specifies a pointer to a function which will be executed at a later point, and which it would be difficult to set to arbitrary code in the WMF itself, whereas this bug appears to be creating a thread which immediately runs starts executing the instruction at the next byte in the meta file.

  16. Re:Ah, nice Ad-Hominem attack in there... by TheNumberless · · Score: 5, Insightful

    In my not so humble opinion, you don't know what you are talking about. Go read some of the links in that site, and you'll see that Steve Gibson is one of the many "security experts" that have no clue but gives dangerous and very wrong "solutions".

    In my ever-so-humble opinion you completely missed the point of the parent. The reputation, sanity, motives, and anything else dealing with the person making the claim has nothing to do with the validity of the claim itself.

    In this particular instance, there is at least some apparent merit to the idea that this was an intentional backdoor, and that merit would be there regardless of who points it out.

    If you want to discredit the idea that this is an intentional backdoor (of which I am far from convinced), then you should attack the argument directly, not the man making it.