WMF Exploits overview draft

["Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>]

Two things:

First, fairly simple question.  I assume a WMF file has some internal identifier at 
the beginning?  I was idly looking at some of the spam that has been using GIFs to 
avoid filters, and wondering if I could find some WMF exploits among them.

Secondly, I have written up a simplistic overview of the situation for those who 
are a) security professionals but b) not specialists in applications security or 
malware.  The intent is to provide enough information to judge the possibilities, 
dangers, fixes, and alert users under their jurisdiction.  Would appreciate (non-
profane) comments on accuracy or important points I might have missed.  
Herewith:


Windows Metafile (WMF) is one of those wonderful Microsoft/Windows catchall 
file formats that can contain a variety of objects and functions.  One of the things 
it can do is display graphics.  Another of the things it can do is invoke, execute, 
and manage processes and programs.  

(If I can digress into the misty realms of memory, this same sort of multifunction 
confusion lead to the minor malware items known as ANSI bombs. The ANSI.SYS 
driver was generally seen as a utility for screen displays with terminal emulation 
programs and some other applications.  However, ANSI.SYS could also be used for 
keyboard remapping, and therefore, with a properly contructed message subject 
line, even looking at your list of waiting email could remap your keyboard such 
that the next time you hit the return key it would send a string such as 
"<cr>!format c: /y<cr>".)  

WMF seems to go back as far as Windows 3.0 at least, involving various drivers 
and DLLs.  The current exploits appear to function on more recent versions of 
Windows, but it seems possible that an exploit could be created to address the 
vulnerability more broadly.  The specific DLL that has been identified as beign at 
fault is gdi32.dll, although shimgvw.dll has been mentioned in the Registry fix.  

The specific exploit that is being seen currently, does not seem to involve the 
common or garden buffer overflow, or at least not as we normally think of them. 
Instead, it relies on a particular function of the WMF system, ABORTPROC. 
ABORTPROC does seem to have some potential uses when WMF processes are 
being used in memory only, but, in relation to WMF files, it has been described as 
having no reason for existence other than to allow someone to install or manage 
something on your computer without your knowledge.  

At least one exploit of this function has been seen using Web sites.  A file can be 
placed on a Website and appear to be a standard image file, such as a JPEG or GIF.  
When loaded in a browser, the browser will typically identity the file as WMF, and 
pass it to the system for processing.  The file may or may not display an image, 
but can also trigger a call to download another file (typically malware) from a site 
(possibly a different site from the one you are browsing) and invoke that program. 

At least one exploit has been seen using email.  Again, a seeming graphics file is 
involved, and the same process of processing will download and invoke malware.  
In the case of which I know this exploit has been sent as an attachment in a 
spammed message: there is no reason that the file could not also be embedded in a 
complex message document, and be made viral in nature.  So far attempts to 
create a message that might do this have proven to be non-trivial.

For those familiar with the Metasploit project, they have created at least two
demonstration metasploits of the exploit.

Indexing programs, such as Google Desktop, appear to invoke the exploits even
without displaying anything.  This is because such systems will send these types
of files to be "rendered" by the operating system in order to obtain more
information about the file, such as may be contained in internal file metadata.

Current fixes tend to suggest changes to the Registry that will block graphics
rendering by the operating system.  Unfortunately, for many Microsoft Windows
users this will result in prevention of functions such as the display of
thumbnail images in directories that contain graphics files (even of non-WMF
types), and the inability to use the standard Windows Picture and Fax Viewer.  In 
addition, these recommendations are not fully safe, since they concentrate on 
shimgvw.dll which is not the ulitmate culprit, but only calls gdi32.dll.

The patch by Ilfak Guilfanov seems to be relatively safe, for WinXP SP 2, in 
testing so far.  It breaks the SETABORT function, but, as noted, so far this seems 
to be a potential flaw at best.  (The use of WMF seems to be declining, and 
therefore it is unlikely that future applications will use it, and that the lack of this 
function will become an issue.)  Unfortunately, the structure of the gdi32.dll file is 
different in W2K, W2K3, and non SP 2 versions of XP, and therefore problems 
have been seen in using the patch, possibly with an earlier version of the patch 
than is currently available.  The author has reportedly tested the current patch on 
W2K and W2K3 without problems. The author has, himself, noted that his patch 
is a) reversible, and b) should be replaced with the official Microsoft patch 
whenever it does become available.  


======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca      slade () victoria tc ca      rslade () sun soci niu edu
Concern for man and his fate must always form the chief interest
of all technical endeavors. Never forget this in the midst of
your diagrams and equations.                       - Albert Einstein
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.