funsec mailing list archives
WMF Exploits overview draft
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>
Date: Mon, 02 Jan 2006 18:19:59 -0800
Two things: First, fairly simple question. I assume a WMF file has some internal identifier at the beginning? I was idly looking at some of the spam that has been using GIFs to avoid filters, and wondering if I could find some WMF exploits among them. Secondly, I have written up a simplistic overview of the situation for those who are a) security professionals but b) not specialists in applications security or malware. The intent is to provide enough information to judge the possibilities, dangers, fixes, and alert users under their jurisdiction. Would appreciate (non- profane) comments on accuracy or important points I might have missed. Herewith: Windows Metafile (WMF) is one of those wonderful Microsoft/Windows catchall file formats that can contain a variety of objects and functions. One of the things it can do is display graphics. Another of the things it can do is invoke, execute, and manage processes and programs. (If I can digress into the misty realms of memory, this same sort of multifunction confusion lead to the minor malware items known as ANSI bombs. The ANSI.SYS driver was generally seen as a utility for screen displays with terminal emulation programs and some other applications. However, ANSI.SYS could also be used for keyboard remapping, and therefore, with a properly contructed message subject line, even looking at your list of waiting email could remap your keyboard such that the next time you hit the return key it would send a string such as "<cr>!format c: /y<cr>".) WMF seems to go back as far as Windows 3.0 at least, involving various drivers and DLLs. The current exploits appear to function on more recent versions of Windows, but it seems possible that an exploit could be created to address the vulnerability more broadly. The specific DLL that has been identified as beign at fault is gdi32.dll, although shimgvw.dll has been mentioned in the Registry fix. The specific exploit that is being seen currently, does not seem to involve the common or garden buffer overflow, or at least not as we normally think of them. Instead, it relies on a particular function of the WMF system, ABORTPROC. ABORTPROC does seem to have some potential uses when WMF processes are being used in memory only, but, in relation to WMF files, it has been described as having no reason for existence other than to allow someone to install or manage something on your computer without your knowledge. At least one exploit of this function has been seen using Web sites. A file can be placed on a Website and appear to be a standard image file, such as a JPEG or GIF. When loaded in a browser, the browser will typically identity the file as WMF, and pass it to the system for processing. The file may or may not display an image, but can also trigger a call to download another file (typically malware) from a site (possibly a different site from the one you are browsing) and invoke that program. At least one exploit has been seen using email. Again, a seeming graphics file is involved, and the same process of processing will download and invoke malware. In the case of which I know this exploit has been sent as an attachment in a spammed message: there is no reason that the file could not also be embedded in a complex message document, and be made viral in nature. So far attempts to create a message that might do this have proven to be non-trivial. For those familiar with the Metasploit project, they have created at least two demonstration metasploits of the exploit. Indexing programs, such as Google Desktop, appear to invoke the exploits even without displaying anything. This is because such systems will send these types of files to be "rendered" by the operating system in order to obtain more information about the file, such as may be contained in internal file metadata. Current fixes tend to suggest changes to the Registry that will block graphics rendering by the operating system. Unfortunately, for many Microsoft Windows users this will result in prevention of functions such as the display of thumbnail images in directories that contain graphics files (even of non-WMF types), and the inability to use the standard Windows Picture and Fax Viewer. In addition, these recommendations are not fully safe, since they concentrate on shimgvw.dll which is not the ulitmate culprit, but only calls gdi32.dll. The patch by Ilfak Guilfanov seems to be relatively safe, for WinXP SP 2, in testing so far. It breaks the SETABORT function, but, as noted, so far this seems to be a potential flaw at best. (The use of WMF seems to be declining, and therefore it is unlikely that future applications will use it, and that the lack of this function will become an issue.) Unfortunately, the structure of the gdi32.dll file is different in W2K, W2K3, and non SP 2 versions of XP, and therefore problems have been seen in using the patch, possibly with an earlier version of the patch than is currently available. The author has reportedly tested the current patch on W2K and W2K3 without problems. The author has, himself, noted that his patch is a) reversible, and b) should be replaced with the official Microsoft patch whenever it does become available. ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () sun soci niu edu Concern for man and his fate must always form the chief interest of all technical endeavors. Never forget this in the midst of your diagrams and equations. - Albert Einstein http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- WMF Exploits overview draft Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 02)
- WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Richard M. Smith (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- WMF Vulnerable Systems Larry Seltzer (Jan 02)