Author Topic: WMF Exploit 0-Day (Read 68189 times)

Sgt.Schumann · « **Reply #30 on:** January 02, 2006, 09:34:55 PM »

I don't know if the 'heise sample' is really representative to real exploits ITW...

Darren · « **Reply #31 on:** January 02, 2006, 09:56:12 PM »

Here's another WMF exploit test avast can't pass. Click this link at your own risk. It is supposed to be benign, but you've been warned.

Code: [Select]

http://ii.net/~benwig/addtestuser.wmf
All other antivirus programs catch this test. If you right-click the file and do a selective scan, avast does indeed identify it as Win32:Exdown [Trj]. But, avast will let you execute the file and will not complain at all. The avast real time scanner does not detect it, nor does the Web Shield. What's going on? There's a huge discussion at the PCQandA.com forums...
http://www.pcqanda.com/dc/dcboard.php?az=show_topic&forum=2&topic_id=393697

Pages 7-8 talks about avast.

polonus · « **Reply #32 on:** January 02, 2006, 10:32:01 PM »

Hi Darren,

Read the whole thread, and conclusion was that the reg fix was to be preferred: see here:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html

Can you copy?

polonus

Darren · « **Reply #33 on:** January 02, 2006, 10:57:44 PM »

Can I copy? I have tried that reg fix and it's worthless. You're not talking to an amateur here.
Do your little registry hack, then download this tester...
http://www.hexblog.com/security/files/wmf_checker_hexblog.exe

I'm not worried about the exploit because I applied the real fix. A patch from Ilfak Guilfanov plugs the hole nicely, thank you.
http://www.hexblog.com/security/files/wmffix_hexblog13.exe

His blog here...
http://www.hexblog.com/2005/12/wmf_vuln.html

But what I am worried about, is why avast doesn't detect these files like alot of the other antivirus scanners?

Save these files from the below links and upload them to the jotti scanner...
http://www.eskimo.com/~darren/wmfexp.jpg
http://www.eskimo.com/~darren/browsercheck.wmf

Jotti Scanner here...
http://virusscan.jotti.org/

Can you copy?

Quote from: polonus on January 02, 2006, 10:32:01 PM

Hi Darren,

Read the whole thread, and conclusion was that the reg fix was to be preferred: see here:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html

Can you copy?

polonus

polonus · « **Reply #34 on:** January 02, 2006, 11:34:17 PM »

Hi Darren,

Just did that, and here are the results:
- AntiVir found Exploit IMG.WMF D exploit;
- Arcavir found nothing;
- Avast found NOTHING;
- Bitdefender found Exploit.Win32.WMF-PFV;
- ClamAV (I have that as second opinion thanx goodness) found Exploit WMF-Gen-3;
- Fortinet found W32/WMF exploit;
- Kaspersky found Exploit Win32 IMC.WMF probably variant;
- Nod32 found probable a variant of Win32/Exploit WMF.

Conclusion Avast failed this variety.

greets,

polonus

Vlk · « **Reply #35 on:** January 02, 2006, 11:58:21 PM »

That is an incorrect conclusion.

Dwarden · « **Reply #36 on:** January 03, 2006, 12:14:07 AM »

seems like even Avast! , bleedingsnort rules for KPF 4 and DEP on full power (well maybe this yes but it's stil lquestionable)

can't protect You ...

so far only working fix is that non official patch from www.hexblog.com ... oh well ...

any AV will fail to prevent newest RND modified WMFs ... they can only trace known variants not unknown ...

congrats to MS and feature from times of Windows 3.0 ... (yeah ALL versions windows are affected

DavidR · « **Reply #37 on:** January 03, 2006, 12:24:35 AM »

Quote from: Vlk on January 02, 2006, 11:58:21 PM

That is an incorrect conclusion.

Can you expand please Vlk.

polonus · « **Reply #38 on:** January 03, 2006, 12:38:56 AM »

Hi Dwarden & others,

The exploit that actually is no exploit, but had been a feature of Windows since 3.03 read here:
http://antivirus.about.com/od/virusdescriptions/a/wmfexploit_4.htm
So the solution to the problem depends on Windows, because the vulnerability has been lying around all that time, and millions of users maybe sitting ducks for any new variety of this exploit.

polonus

Vlk · « **Reply #39 on:** January 03, 2006, 12:43:44 AM »

Quote

That is an incorrect conclusion.

Can you expand please Vlk.

Of course. What I meant is: if an AV's goal is to protect you from security threats, it is an incorrent conclusion (that avast FAILS). If the goal is to detect proof-of-concept stuff (completely benign!), then yes, avast FAILS.

In other words, show me one single malicious wmf file that avast does not detect.

That said, we will be releasing a generic solution to the problem in the tomorrow's (well today's if you're based in continental Europe) VPS update that should get rid of the problem for good.

On a side note, Dwarden is right that this is an issue in all versions of Windows, from 3.0 to the latest Vista beta. The funny thing is that it's not a buffer overrun problem (that is, a coding bug) - instead, it's a _feature_ of WMF files. That is, the WMF file format definition allows inclusion of code (that is called when printing fails - it's an error handler). This means that

1. the definition of the WMF file itself is flawed, not the implementation, and
2. other programs that can work with wmf files and adhere to the definition are theoretically vulnerable as well - and indeed, this is the case with e.g. IrfanView or XNView.

Cheers

Vlk

DavidR · « **Reply #40 on:** January 03, 2006, 12:59:50 AM »

Thank you very much for the clear (as usual) expansion and the notification on the generic solution.

Darren · « **Reply #41 on:** January 03, 2006, 01:16:23 AM »

Thanks Vlk, that's what I wanted to hear.

Dwarden · « **Reply #42 on:** January 03, 2006, 01:23:11 AM »

polonus i always wrote here it's exploit thru some very old (and obsolete now) feature ...

one of many ... so there is still space for more new exploits

glad to see Vlk reads well what i wrote

... contrary to some others

mauserme · « **Reply #43 on:** January 03, 2006, 01:37:32 AM »

Hi All,

I don't know about the test files Avast! might be missing, but I do know I have the following entry in my Avast! log file:

12/31/05 12:59:16 AM "Sign of WIN32:Exdown{TRJ}" has been found in "http:// ... wmf/wmf_exp.wmf" file

After clicking a link in an email Avast! threw up an alert asking if I wanted to end the connection. I did, and I find no trace of the wmf file or the exploit on my computer. I've done multiple scans with Avast! (with updated definitions), ClamWin, BitDefender, Ewido, A Squared, Sypob S&D, and Ad Aware and I am confident my computer is clean.

I'll take real world protection over success with test files any day.

Sgt.Schumann · « **Reply #44 on:** January 03, 2006, 07:57:57 AM »

Thank you for the answer Vlk,

for me the only important thing is, that the ITW malicous samples are detected.

Personally, the 'play-examples' (like the heise one) are indeed not important ... but the problem is, that they lead very fast to a 'bad publicity", since they are easy available and a lot of people state them as 'representative' $:-\$

Maybe a good idea would be some kind of news section directly on the Avast! start page. This would be e.g. a good place for explanations like Vlk's one above.

Author Topic: WMF Exploit 0-Day (Read 68189 times)

Sgt.Schumann

Re: WMF Exploit 0-Day

Darren

Re: WMF Exploit 0-Day

polonus

Re: WMF Exploit 0-Day

Darren

Re: WMF Exploit 0-Day

polonus

Re: WMF Exploit 0-Day

Vlk

Re: WMF Exploit 0-Day

Dwarden

Re: WMF Exploit 0-Day

DavidR

Re: WMF Exploit 0-Day

polonus

Re: WMF Exploit 0-Day

Vlk

Re: WMF Exploit 0-Day

DavidR

Re: WMF Exploit 0-Day

Darren

Re: WMF Exploit 0-Day

Dwarden

Re: WMF Exploit 0-Day

mauserme

Re: WMF Exploit 0-Day

Sgt.Schumann

Re: WMF Exploit 0-Day