Author Topic: Microsoft Windows WMF Handling - Arbitrary Code Execution  (Read 11135 times)

0 Members and 1 Guest are viewing this topic.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Microsoft Windows WMF Handling - Arbitrary Code Execution
« on: December 28, 2005, 12:45:35 PM »
There are reports of active exploitation of a new vulnerability related to image rendering in Windows XP.  The Windows Picture and Fax Viewer is used to view Windows Meta Files (WMF) and is reported as being vulnerable.  Note that this is the default viewer used by Internet Explorer and some versions of Firefox for WMF files.

Current reports state that the attack vector being used is embedded malicious images on web pages hosted at unionseek[DOT]com.  This vulnerability could equally be exploited through the delivery of a malicious email.

There is additional information available at the following URL's:
http://isc.sans.org/diary.php?storyid=972
http://www.securityfocus.com/bid/16074/info
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.f-secure.com/weblog/#00000752

Exploit code is publicly available. This is being exploited in the wild.

The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.


There is no patch currently available to repair this vulnerability.
In the interim consider the following mitigation:

 - block access to the unionseek[DOT]com domain
 - block WMF files in your HTTP and SMTP content checkers
 - ensure anti-virus software is fully updated
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #1 on: December 28, 2005, 11:22:16 PM »
This vulnerability is being tracked by the Internet Storm Center, see isc.sans.org/diary.php?storyid=975 for the latest news

Users of Google Desktop are also vulnerable to this exploit, see http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #2 on: December 29, 2005, 12:47:40 AM »
Workaround posted by Sunbelt:

Quote
Wednesday, December 28, 2005
Workarounds for the WMF exploit

For this WMF exploit: Until Microsoft patches this thing or your AV provider have updated their defs, here are some workarounds:

1. Unregister SHIMGVW.DLL.

From the command prompt, type REGSVR32 /U SHIMGVW.DLL.  A reboot is recommended.  (It works post reboot as well.  It is a permanent workaround).

You can also do this by going to Start, Run and then pasting in the above command.

This effectively disables your ability to view images using the Windows picture and fax viewer via IE.

However, it is not the most elegant fix.  You’re probably going to have all kinds of problems viewing images.

But, no biggie: Once the exploit is patched, you can simply do REGSVR32 SHIMGVW.DLL to bring back the functionality.

And, it is a preventative measure. If you are already infected, it will not help.

Works for IE, should work fine for Firefox users as well.

2. Change file associations for WMF files.

An equally ugly fix (but perhaps preferable) is to do the following:

1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.

Your WMF files will open in Notepad.  Ugly, but it is a fix.

3. Run IESPYAD.

IESpyad is a free tool that puts block lists into IE’s restricted sites zone.  It’s managed by Eric Howes, who works as a consultant for Sunbelt.  We regularly update him with the latest URLs.  Click here. Gravatar

(Note that Eric is currently out of town so I’m not sure it’s being updated as frequently.) 

Alex Eckelberry
(Hat tip to Jon and Sunbelt researchers Lior Kimchi and Adam Thomas)

http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #3 on: December 29, 2005, 04:04:15 PM »
After you have installed IESPYAD (version December 27th) be sure to also apply the interim update that can be found at dslreports.com/forum/remark,15121689

This should be added to the December 27th update - do not remove that before applying this addition.
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #4 on: December 30, 2005, 11:25:49 AM »
Harry Waldron's Blog has a nice set of instructions:

Quote
Current recommendations for Malicious WMF Exploits in-the-wild

1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible.  For example, McAfee users should install DAT 4661 or higher immediately
2. Stay away from all questionable websites.  Do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).
3. Filter and block WMF files in email or content filtering systems in the corporate environment.
4. Don't rely just on the WMF extension.  Windows metadata processing can process a disguised and renamed extension.  For example, the extension for a corrupted WMF file might renamed to GIF and when Windows opens it, it may recognize that it was a WMF file originally and an infection could result.
5. As an extra safety precaution, you can turn off the vulnerable DLL.   The Full Disclosure workaround has downloadable *.REG file that allows toggling shimgvw.dll on and off.  Another option might be to turn off the shimgvw.dll service completely.  Turning services completely off will result in a minor loss of functionality for thumbnail previews in Explorer and the Windows Fax & Picture viewer can be affected.  Still it's easy to restore this service later after better protective solutions emerge, as noted in the Full Disclosure link.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #5 on: December 30, 2005, 03:44:58 PM »
From F-Secure blog:

Quote
The amount of trojans using the zero-day WMF exploit is increasing rapidly.

There is an important note on that page about the danger of using mspaint until the WMF issue is resolved.
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 972
  • The Northern Berserk
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #6 on: December 30, 2005, 07:09:31 PM »
This is how I removed this crap. The method is probably different from case to case, depending on what the downloader is fetching.

So I will keep strictly to how I did:

Tools needed:
Ewido malware-remover  http://www.ewido.net/en/download/
datFind.bat :  http://virus-protect.net/bat/datFind.bat
Blacklight Beta by F-Secure: http://www.f-secure.com/blacklight/help/
HiJackThis : http://www.thespykiller.co.uk/files/HJTsetup.exe
Taskmanager (Ctrl+Alt+Del)

In my case it installed "UnSpy", which sent up a baloon in the taskbar.It could just as well look like this: http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html
Start by going to the control panel applet and uninstall whatever strange "antispyware" that is present.

Then HiJack This showed those details, fix them:
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\gvhfx.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\gvhfx.dll
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program\UnSpyPC\UnSpyPC.exe"
O9 - Extra button: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program\UnSpyPC\UnSpyPC.exe (HKCU)
O9 - Extra 'Tools' menuitem: Scan and protect your PC - {BF69DF00-4734-477F-8257-27CD04F88779} - C:\Program\UnSpyPC\UnSpyPC.exe (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\Software\..\Telephony: DomainName = 
O17 - HKLM\System\CCS\Services\Tcpip\..\{48B1CBE5-F7C9-4647-9E5A-CB28ADE3C636}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{50A7A9D9-4795-4D70-B1FD-83183E8A934A}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CE88FF2-E304-47EE-B024-D4E0F2170FB3}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{73486B9A-079D-480E-95D2-0B27292DD2EB}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 
O17 - HKLM\System\CS1\Services\Tcpip\..\{48B1CBE5-F7C9-4647-9E5A-CB28ADE3C636}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 

Reboot into safe mode and remove the UnSpy Folder.
If  it´s like in my case, Explorer will act awkwardly. You have to use the taskmanager to terminate and start Explorer, many times when it stops responding

Run Ewido, still in safe mode.

Reboot normally.

Run datFind.bat
It will  sort newly installed/changed files by date, in "System" , "System32" ,"Windows\Temp" and the "Windows" folder. 
Open the "datFind.bat" and it will sort the files by date, in the different folders.To create them, collapse the open log and click any key and a new log is created. Copy the recent month/2 months of each log into the thread.
Look for suspicious files installed simultaniously, the user should have a rather good opinion of when he was hit by this crap.
The logs are by default stored directly under C:\
Navigate to the suspicious files seen in the logs and remoove them. All of them wont however be found.

Run Blacklight and reboot. Run Ewido again.

If  datFind.bat is run now, there should be files in the system32-log that aren´t visible

therefore....

Run Blacklight and this time use the option "Rename" of the files it finds, reboot. For simplicity, write down all filenames before it renames and reboots. If this isn´t done, a search can be done for files with the extension ".exe.ren" after Blacklight is run.

Open Explorer and navigate to the system32- folder and remove the remaining files of the infection, all with file-extendions ".exe.ren"

On thing is still to be made. A registry-key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
will have a value of  , in my case , csajj.exe (this is one of the files that had to be renamed by Blacklight)

This is how I did to remove the infection installed by the WMF Exploit , which opened the viewer for fax.
Another strange thing that occured while it was installing, was that AVG flagged WISPIS.EXE as infected. I believe that is the program that handles the mouse. I never realized if it was healed or not, but it still works flawlessly.

Die Hard :)


I create and edit my posts in GS-NOTES

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #7 on: December 30, 2005, 10:17:40 PM »
One of the best articles that I have seen which analyses this exploit comes from Websense

This one also includes a .wmv showing the exploit in action, best run at full screen size  :breakkie:
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline roddy32

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 1085
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #8 on: January 01, 2006, 12:25:27 PM »
Here is the latest info on this from the Internet Storm Center.

This one is the updates thread that changes as new information is released or more exploits are released.
http://isc.sans.org/diary.php?n&storyid=992

This one is an overview of the situation.
http://isc.sans.org/diary.php?n&storyid=993

This one is the WMF FAQ
http://isc.sans.org/diary.php?n&storyid=994

This is the latest from this morning
"2nd generation WMF 0day Expliot Spammed"
http://isc.sans.org/diary.php?n&storyid=995

Microsoft MVP Consumer Security 2006 - 2012

Log'N'Rock Computer Security


Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #9 on: January 01, 2006, 05:05:24 PM »
The Internet Storm Center (SANS Institute) is proving to be the most reliable source of information in respect of the WMF exploit and it is strongly recommended that you check that site regularly for updated information, this exploit should be taken seriously.

Latest information from the ISC at time of posting:

Trustworthy Computing
http://isc.sans.org/diary.php?storyid=996

Recommended Block List
http://isc.sans.org/diary.php?storyid=997

2nd generation WMF exploit: status of the anti-virus products after one day
http://isc.sans.org/diary.php?storyid=998

Updated version of Ilfak Guilfanov's patch
http://isc.sans.org/diary.php?storyid=999


"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #10 on: January 01, 2006, 06:35:00 PM »
The strongest recommendations from around the net are to install Ilfak's Temporary WMF Patch until Microsoft issues a patch.  Ilfak's temp can then be removed via Add/Remove Programs.

http://www.grc.com/sn/notes-020.htm


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #11 on: January 01, 2006, 06:41:46 PM »
Recommended block lists from SANS:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #12 on: January 01, 2006, 07:14:06 PM »
UNIRAS (UK Government Briefing) 1/06, released 19:31 UTC January 1st:

Quote
A new exploit has been released for the Windows WMF vulnerability.  The exploit
is embedded in image files with a .jpg extension and which are designed to make
detection with IDS more difficult.  At the time of release this exploit was not
detectable by anti-virus software although signatures are now being released.

There are further reports that this exploit has been used to construct
malicious emails that have been spammed out.  F-Secure have given the following
details for this email:

  Subject:    Happy New Year
  Body:       "picture of 2006"
  Attachment: HappyNewYear.jpg (MD5: DBB27F839C8491E57EBCC9445BABB755)
 
When the HappyNewYear.jpg is accessed (i.e. the file is opened, a folder containing
the file is viewed, or the file is indexed by, for example, Google Desktop), it
executes and downloads a Bifrose variant from www[dot]ritztours.com.

Full briefing at http://www.uniras.gov.uk/niscc/docs/br-20060101-00001.html?lang=en
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #13 on: January 01, 2006, 10:27:35 PM »
System Administrators may wish to know that SANS are now hosting a MSI version of the unofficial hotfix. It may be downloaded from a link on this page.
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #14 on: January 02, 2006, 10:37:36 AM »
The latest information --

If your computer is Windows 2000, Windows XP, (SP1 and SP2), Windows 2003 (NOT Win98 or ME) it is extremely vulnerable. After applying the temporary fix by Ilfax, you can check your system to ensure it is protected with the vulnerability checker.  Further discussion on this top;ic is available in the SunbeltBlog http://sunbeltblog.blogspot.com/2006/01/wmf-vulnerability-checker.html

FIX DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmffix_hexblog13.exe

Fix Described Here:  http://www.hexblog.com/2005/12/wmf_vuln.html

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmf_checker_hexblog.exe

Checker Described here:  http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more





Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.