Author Topic: WMF Exploit 0-Day  (Read 68115 times)

0 Members and 1 Guest are viewing this topic.

Sgt.Schumann

  • Guest
Re: WMF Exploit 0-Day
« Reply #30 on: January 02, 2006, 09:34:55 PM »
I don't know if the 'heise sample' is really representative to real exploits ITW...  ???

Darren

  • Guest
Re: WMF Exploit 0-Day
« Reply #31 on: January 02, 2006, 09:56:12 PM »
Here's another WMF exploit test avast can't pass. Click this link at your own risk. It is supposed to be benign, but you've been warned.

Code: [Select]
http://ii.net/~benwig/addtestuser.wmf
All other antivirus programs catch this test. If you right-click the file and do a selective scan, avast does indeed identify it as Win32:Exdown [Trj]. But, avast will let you execute the file and will not complain at all. The avast real time scanner does not detect it, nor does the Web Shield. What's going on? There's a huge discussion at the PCQandA.com forums...
http://www.pcqanda.com/dc/dcboard.php?az=show_topic&forum=2&topic_id=393697

Pages 7-8 talks about avast.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: WMF Exploit 0-Day
« Reply #32 on: January 02, 2006, 10:32:01 PM »
Hi Darren,

Read the whole thread, and conclusion was that the reg fix was to be preferred: see here:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html

Can you copy?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Darren

  • Guest
Re: WMF Exploit 0-Day
« Reply #33 on: January 02, 2006, 10:57:44 PM »
Can I copy? I have tried that reg fix and it's worthless. You're not talking to an amateur here.
Do your little registry hack, then download this tester...
http://www.hexblog.com/security/files/wmf_checker_hexblog.exe

I'm not worried about the exploit because I applied the real fix. A patch from Ilfak Guilfanov plugs the hole nicely, thank you.
http://www.hexblog.com/security/files/wmffix_hexblog13.exe

His blog here...
http://www.hexblog.com/2005/12/wmf_vuln.html

But what I am worried about, is why avast doesn't detect these files like alot of the other antivirus scanners?

Save these files from the below links and upload them to the jotti scanner...
http://www.eskimo.com/~darren/wmfexp.jpg
http://www.eskimo.com/~darren/browsercheck.wmf

Jotti Scanner here...
http://virusscan.jotti.org/

Can you copy?




Hi Darren,

Read the whole thread, and conclusion was that the reg fix was to be preferred: see here:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040699.html

Can you copy?

polonus

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: WMF Exploit 0-Day
« Reply #34 on: January 02, 2006, 11:34:17 PM »
Hi Darren,

Just did that, and here are the results:
- AntiVir found Exploit IMG.WMF D exploit;
- Arcavir found nothing;
- Avast found NOTHING;
- Bitdefender found Exploit.Win32.WMF-PFV;
- ClamAV (I have that as second opinion thanx goodness) found Exploit WMF-Gen-3;
- Fortinet found W32/WMF exploit;
- Kaspersky found Exploit Win32 IMC.WMF probably variant;
- Nod32 found probable a variant of Win32/Exploit WMF.

Conclusion Avast failed this variety.

greets,

polonus
« Last Edit: January 03, 2006, 12:45:16 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WMF Exploit 0-Day
« Reply #35 on: January 02, 2006, 11:58:21 PM »
That is an incorrect conclusion.
If at first you don't succeed, then skydiving's not for you.

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re: WMF Exploit 0-Day
« Reply #36 on: January 03, 2006, 12:14:07 AM »
seems like even Avast! , bleedingsnort rules for KPF 4 and DEP on full power (well maybe this yes but it's stil lquestionable) :) can't protect You ...

so far only working fix is that non official patch from www.hexblog.com ... oh well ...

any AV will fail to prevent newest RND modified WMFs ... they can only trace known variants not unknown ...

congrats to MS and feature from times of Windows 3.0 ... (yeah ALL versions windows are affected :))
« Last Edit: January 03, 2006, 12:16:05 AM by Dwarden »
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: WMF Exploit 0-Day
« Reply #37 on: January 03, 2006, 12:24:35 AM »
That is an incorrect conclusion.
Can you expand please Vlk.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: WMF Exploit 0-Day
« Reply #38 on: January 03, 2006, 12:38:56 AM »
Hi Dwarden & others,

The exploit that actually is no exploit, but had been a feature of Windows since 3.03 read here:
http://antivirus.about.com/od/virusdescriptions/a/wmfexploit_4.htm
So the solution to the problem depends on Windows, because the vulnerability has been lying around all that time, and millions of users maybe sitting ducks for any new variety of this exploit.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WMF Exploit 0-Day
« Reply #39 on: January 03, 2006, 12:43:44 AM »
Quote
That is an incorrect conclusion.

Can you expand please Vlk.


Of course. What I meant is: if an AV's goal is to protect you from security threats, it is an incorrent conclusion (that avast FAILS). If the goal is to detect proof-of-concept stuff (completely benign!), then yes, avast FAILS.

In other words, show me one single malicious wmf file that avast does not detect.


That said, we will be releasing a generic solution to the problem in the tomorrow's (well today's if you're based in continental Europe) VPS update that should get rid of the problem for good.


On a side note, Dwarden is right that this is an issue in all versions of Windows, from 3.0 to the latest Vista beta. The funny thing is that it's not a buffer overrun problem (that is, a coding bug) - instead, it's a _feature_ of WMF files. That is, the WMF file format definition allows inclusion of code (that is called when printing fails - it's an error handler). This means that

1. the definition of the WMF file itself is flawed, not the implementation, and
2. other programs that can work with wmf files and adhere to the definition are theoretically  vulnerable as well - and indeed, this is the case with e.g. IrfanView or XNView.

Cheers :)
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: WMF Exploit 0-Day
« Reply #40 on: January 03, 2006, 12:59:50 AM »
Thank you very much for the clear (as usual) expansion and the notification on the generic solution.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Darren

  • Guest
Re: WMF Exploit 0-Day
« Reply #41 on: January 03, 2006, 01:16:23 AM »
Thanks Vlk, that's what I wanted to hear.  :)

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1793
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re: WMF Exploit 0-Day
« Reply #42 on: January 03, 2006, 01:23:11 AM »
polonus i always wrote here it's exploit thru some very old (and obsolete now) feature ...

one of many ... so  there is still space for more new exploits  ;D

glad to see Vlk reads well what i wrote :) ... contrary to some others  ;)
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

mauserme

  • Guest
Re: WMF Exploit 0-Day
« Reply #43 on: January 03, 2006, 01:37:32 AM »
Hi All,

I don't know about the test files Avast! might be missing, but I do know I have the following entry in my Avast! log file:

12/31/05 12:59:16 AM  "Sign of WIN32:Exdown{TRJ}" has been found in "http:// ... wmf/wmf_exp.wmf" file

After clicking a link in an email Avast! threw up an alert asking if I wanted to end the connection.  I did, and I find no trace of the wmf file or the exploit on my computer.  I've done multiple scans with Avast! (with updated definitions), ClamWin, BitDefender, Ewido, A Squared, Sypob S&D, and Ad Aware and I am confident my computer is clean.

I'll take real world protection over success with test files any day.


Sgt.Schumann

  • Guest
Re: WMF Exploit 0-Day
« Reply #44 on: January 03, 2006, 07:57:57 AM »
Thank you for the answer Vlk,

for me the only important thing is, that the ITW malicous samples are detected.

Personally, the 'play-examples' (like the heise one) are indeed not important ... but the problem is, that they lead very fast to a 'bad publicity", since they are easy available and a lot of people state them as 'representative'  :-\

Maybe a good idea would be some kind of news section directly on the Avast! start page. This would be e.g. a good place for explanations like Vlk's one above.