funsec mailing list archives
Re: Is The .WMF Exploit A ConsPiracy Gone Bad?
From: Don Kennedy <zoverlords () yahoo com>
Date: Sat, 14 Jan 2006 10:11:56 -0800 (PST)
Comments? All I can do is express my opinion on this but it seems we agree: If Microsoft were to have HOLES that could be used by the feds, they sure would not want them to be gracefully coded and or littered with signs that they have been intentionally placed where they were found for ALL to find. This concept that the best method of "Back Door" implementation would be to use 256 Byte Keys to invoke the logic would do nothing but help prove INTENT, which would be the EXACT opposite of what one would wish. Much like anything, as new methods are developed, one can afford to DROP older methods ("Especially if they become Public and used for motives not intended") On that NOTE: I find it very hard to believe that parties at Microsoft had no Idea that this BUG was present, I can believe that it was known, had not caused any problems, and was determined to NOT be dealt with. As one tool in a toolbox, this flaw would have been a good one: 1. Support included in all windows platforms, in some manner. 2. It requires no scripting method of any kind to be delivered. 3. It was the LAST "Graphic Only" method to deliver a payload. 4. It had the ability to re-invoke itself simply by opening a folder. 5. Via Floppy, CD, DVD, and Download. 6. One Single Delivery Graphic, supports all delivery methods. Would this have been the Perfect "Holy Grail" to deliver a payload, NO, however is sure had "STEALTH" and only lack of creativity would have not allowed someone to OWN almost any system they wished, combined with some social engineering of, someones Email address, or IM name. Point is, I think this method has been being used for some time, and we will never know by whom, and how extensive its use was. For many years the term "Magic Lantern" has been used about something that actually this would fit very well. The "Magic Lantern" is and was an urban myth on how the Feds had some secret methods to gain access to Windows based systems in a very simple manner, and no SOLID evidence was ever produced as to what methods "Magic Lantern" used. To date, based on all the myths I have read and heard about, this exploit seems to fit most of the suggested abilities of how "Magic Lantern" could gain access to specific systems. Did "Magic Lantern" really exist? Not sure we will ever know. Could this in fact have been part or all of how "Magic Lantern" was able to gain access to specific Windows based systems when needed? Not sure we will ever know. If I was a betting man, I would say, with or without the help of Microsoft that this exploit has been used in the past by the Feds to some extent, not saying on a MASSIVE scale, but more on a "From Time To Time basis". What I find more interesting than anything in this adventure so far is that this statement from Microsoft: Quote: "With WMF we want to be very clear: the Windows 9x platform is not vulnerable to any "Critical" attack vector. The reason Windows 9x is not vulnerable to a "Critical" attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record. Although the vulnerable code does exist in the Win9x platform, all "Critical" attack vectors are blocked by this additional step." From: http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx So a Question Arises? Was the Win98 platform PATCHED to defeat the logic that does allow this execution of code in future platforms for this exploit? OR............. Were Future Platforms PATCHED to allow the logic that does allow this execution of code for this exploit? The Only thing I am SURE of is we will never know. If this was part of "Magic Lantern" and retired because it finally fell into the public domain, what methods, if any, took its place? The Only thing I am SURE of is we will NEVER know. --------------------------------- Yahoo! Photos Showcase holiday pictures in hardcover Photo Books. You design it and well bind it!
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad?, (continued)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Valdis . Kletnieks (Jan 15)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Barrie Dempster (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Todd Towles (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Larry Seltzer (Jan 13)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Fergie (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Todd Towles (Jan 13)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Fergie (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Todd Towles (Jan 13)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Gadi Evron (Jan 13)
- RE: Is The .WMF Exploit A ConsPiracy Gone Bad? Larry/Spamhaus (Jan 13)
- Re: Is The .WMF Exploit A ConsPiracy Gone Bad? Don Kennedy (Jan 14)