WMF Vulnerability
Reminder: This online diary is friends-only. Please comment if you wish to be added. Naturally, I will only add you if I know and trust you.
THE EXPLOIT
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).
The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif, ".tif", and ".png" etc.
The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.Links:Article: http://secunia.com/advisories/18255/
http://www.kb.cert.org/vuls/id/181038
http://www.theinquirer.net/?article=28645
THE WORKAROUNDhttp://www.microsoft.com/technet/security/advisory/912840.mspx under "suggested actions":Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
Also, I recommend turning on DEP (Data Execution Prevention), if your processor has hardware support for it. From what I can gather, software-based DEP does not appear to mitigate the vulnerability; however, hardware-based DEP appears to do so, case-dependant. Note that you must enable it for all programs, not just core Windows processes.
As for preventative measures, do not accept or download image files (including .wmf and common image files; as long as it's an image, it could be passed to the Windows preview thing in Windows Explorer which will recognise an exploit file as a .wmf). Since IE is deeply rooted in Windows, I believe an alternate browser can prevent or mitigate web-page based exploits. Otherwise, disabling iFrames could prevent exploitation from certain attack vectors (as it appears some exploit attempts are on hacked servers, through an iframe).
THE DETECTION
Naturally, Antivirus software will only detect this vulnerability if it is up-to-date..According to Microsoft, the following antivirus applications detect the vulnerability:
Also, I did a quick research a few days ago (Dec 29 2005), and here are the results:
Norton/Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2005.11.08c.html
Status: Detected. Assuming Symantec Vulnerability Assessment is a module in the Symantec Antivirus program or summat.
McAfee:
http://ca.mcafee.com/virusInfo/default.asp?id=description&virus_k=137760
Status: Detected. Excerpt from website:
Quote: McAfee DAT Files
The 4661 DAT files contain detection of threats attempting to exploit this vulnerability.
McAfee Entercept
McAfee Entercept blocks code execution as a result of the buffer overflow.
McAfee VirusScan Enterprise 8.0i
McAfee VirusScan Enterprise 8.0i blocks code execution as a result of the buffer overflow if the malicious file is opened in Internet Explorer, Windows explorer.
AVG:
Status: UNKNOWN. Searching possible names for this exploit brought no results. Checking updates brought no results.
Kaspersky:
http://www.viruslist.com/en/alerts?alertid=176701669
Status: Detected. Excerpt from website:
Kaspersky Lab has raised its alert level to yellow. This is because several Trojan programs which exploit the new Windows Meta File vulnerability have been detected in the wild.
[...]
Antivirus database updates which include detection for these Trojan programs have been released. Users are strongly recommended to update antivirus databases on a regular basis.
Anti-Vir:
http://www.antivir-pe.de/...%5Dvdl_id%5D=833&tx_dcvdlbase_pi1%5B_sword%5D=wmf
Status: Detected. Please visit website for proof/details.
That is all.
Happy New Year's Day, everyone!
~ Laogeodritt
THE EXPLOIT
A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).
The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif, ".tif", and ".png" etc.
The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.Links:Article: http://secunia.com/advisories/18255/
http://www.kb.cert.org/vuls/id/181038
http://www.theinquirer.net/?article=28645
THE WORKAROUNDhttp://www.microsoft.com/technet/security/advisory/912840.mspx under "suggested actions":Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
Also, I recommend turning on DEP (Data Execution Prevention), if your processor has hardware support for it. From what I can gather, software-based DEP does not appear to mitigate the vulnerability; however, hardware-based DEP appears to do so, case-dependant. Note that you must enable it for all programs, not just core Windows processes.
As for preventative measures, do not accept or download image files (including .wmf and common image files; as long as it's an image, it could be passed to the Windows preview thing in Windows Explorer which will recognise an exploit file as a .wmf). Since IE is deeply rooted in Windows, I believe an alternate browser can prevent or mitigate web-page based exploits. Otherwise, disabling iFrames could prevent exploitation from certain attack vectors (as it appears some exploit attempts are on hacked servers, through an iframe).
THE DETECTION
Naturally, Antivirus software will only detect this vulnerability if it is up-to-date..According to Microsoft, the following antivirus applications detect the vulnerability:
- Symantec
- Computer Associates
- McAfee
- F-Secure Corporation
- Panda Software International
- Eset Software
Also, I did a quick research a few days ago (Dec 29 2005), and here are the results:
Norton/Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2005.11.08c.html
Status: Detected. Assuming Symantec Vulnerability Assessment is a module in the Symantec Antivirus program or summat.
McAfee:
http://ca.mcafee.com/virusInfo/default.asp?id=description&virus_k=137760
Status: Detected. Excerpt from website:
Quote: McAfee DAT Files
The 4661 DAT files contain detection of threats attempting to exploit this vulnerability.
McAfee Entercept
McAfee Entercept blocks code execution as a result of the buffer overflow.
McAfee VirusScan Enterprise 8.0i
McAfee VirusScan Enterprise 8.0i blocks code execution as a result of the buffer overflow if the malicious file is opened in Internet Explorer, Windows explorer.
AVG:
Status: UNKNOWN. Searching possible names for this exploit brought no results. Checking updates brought no results.
Kaspersky:
http://www.viruslist.com/en/alerts?alertid=176701669
Status: Detected. Excerpt from website:
Kaspersky Lab has raised its alert level to yellow. This is because several Trojan programs which exploit the new Windows Meta File vulnerability have been detected in the wild.
[...]
Antivirus database updates which include detection for these Trojan programs have been released. Users are strongly recommended to update antivirus databases on a regular basis.
Anti-Vir:
http://www.antivir-pe.de/...%5Dvdl_id%5D=833&tx_dcvdlbase_pi1%5B_sword%5D=wmf
Status: Detected. Please visit website for proof/details.
That is all.
Happy New Year's Day, everyone!
~ Laogeodritt