funsec mailing list archives
RE: WMF Vulnerable Systems
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 3 Jan 2006 00:20:48 -0500
One last note before I retire for the night: I was able to trigger an exploit on Windows 2000 SP4, all up to date, by doing Insert Picture inside an updated Microsoft Word 2003. I don't find this frightening, but it tends to confirm the general point that the vulnerability is there, but not any meaningful vector for exploiting it, until Windows XP Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Monday, January 02, 2006 11:53 PM To: funsec () linuxbox org Subject: RE: [funsec] WMF Vulnerable Systems It appears, based on offline communication, that my analysis below is correct with respect to pre-XP exploitation. There is no default association for WMF, therefore it's much harder to exploit. The flaw in GDI32 is there and a vulnerable program like Notes would still be vulnerable, but on a mass-scale they are not easily exploitable because there is no standard vector for the flaw. I'm testing now on Windows 2000 (SP4) and the behavior is identical to Windows 98! No default association for WMF and Paint can't read the files. Am I doing something wrong? Has anyone else gotten other results? Because where I stand this makes the whole issue far less threatening Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Monday, January 02, 2006 10:41 PM To: 'Richard M. Smith'; funsec () linuxbox org Subject: RE: [funsec] WMF Vulnerable Systems On Win98SE: Nothing I retested with my own images and with 600pics.com (I'm getting really tired of looking at it). I got lots of popups with 600pics, but it doesn't look like I got exploited at all. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Monday, January 02, 2006 10:07 PM To: funsec () linuxbox org Subject: RE: [funsec] WMF Vulnerable Systems What program is associated with the .WMF file extension on these older systems? Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Monday, January 02, 2006 10:01 PM To: funsec () linuxbox org Cc: 'Microsoft PR' Subject: RE: [funsec] WMF Vulnerable Systems PS - I also tested the out-of-the-box IE (version 5.0) and it wouldn't load the images from a test page. And there is no shimgvw.dll (or shim*.dll) on the system Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Monday, January 02, 2006 9:48 PM To: funsec () linuxbox org Subject: [funsec] WMF Vulnerable Systems This is a little surprising. I had been taking at face value reports from Microsoft and others that all Windows versions were vulnerable to this flaw, but I only just now tested a system other than Windows XP. I just created a fresh Windows 98SE system, no updates. Of course it doesn't have Picture and Fax Viewer, but I opened a known-malicious WMF file with Paint and got this message: C:\BAD.WMF Paint cannot read this file. This is not a valid bitmap file, or its format is not currently supported. Now this could just mean that Paint in this version of Windows cannot read WMF files, but that the GDI32 flaw is still there. Perhaps, for example, Lotus Notes on this OS would be vulnerable. Still, I'd have to conclude that this platform is significantly less vulnerable than XP. My next step is to run Windows Update (probably a dozen times) to get 98 as up to date as it can be and retest. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- WMF Exploits overview draft Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 02)
- WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Richard M. Smith (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- RE: WMF Vulnerable Systems Larry Seltzer (Jan 02)
- WMF Vulnerable Systems Larry Seltzer (Jan 02)