Author Topic: WMF Exploit 0-Day  (Read 68099 times)

0 Members and 1 Guest are viewing this topic.

Sgt.Schumann

  • Guest
Re: WMF Exploit 0-Day
« Reply #60 on: January 03, 2006, 10:02:23 PM »
100% Protection is not possible, unfortunately ... :-\

I have not installed the 'interims patch' from Ilfak, since I do not exactly know what it does ... and what it not does.
Since I want to exactly know, what happens at my machine,  I unregistered the .dll (knowing that that this is not sufficient, but here I know 'what command I executed') and also removed the image-exceptions from Avast!-Webshield.
With all current Avast!-Updates and the 'sense of being careful', it seems for me ...  to be quite good protected.  ::)
« Last Edit: January 03, 2006, 10:07:38 PM by Sgt.Schumann »

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: WMF Exploit 0-Day
« Reply #61 on: January 03, 2006, 10:20:27 PM »
I have not installed the 'interims patch' from Ilfak, since I do not exactly know what it does ... and what it not does.

The patch installs itself to be loaded into virtually any started process (a special autorun method). When loaded, it patches the Escape() function in GDI32.dll such that it doesn't do anything when called with the SETABORTPROC argument (and simply returns immediatelly when called). This way, the WMF exploit is avoided - because normally it's exactly this function that makes it possible to execute the malicious code.

Sgt.Schumann

  • Guest
Re: WMF Exploit 0-Day
« Reply #62 on: January 03, 2006, 10:29:18 PM »
Igor, thank you for the explanation!  :)

Darren

  • Guest
Re: WMF Exploit 0-Day
« Reply #63 on: January 04, 2006, 12:38:35 AM »
Quote
BTW the "generic" WMF exploit detection has been released as part of the latest VPS update.

Ah, but change the extension from .wmf to .jpg and the avast on-access scanner will not detect it, and will even let it be executed. Change the extension back to .wmf, and all the alarms go off.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89006
  • No support PMs thanks
Re: WMF Exploit 0-Day
« Reply #64 on: January 04, 2006, 01:02:50 AM »
But will a .wmf file that has had the file type changed to .jpg execute correctly?

The file associations for .jpg may either not be able to open the file or indicate that the file is in error, etc.

If you have a valid .wmf file, change it to .jpg and try and open it and see what happens.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89006
  • No support PMs thanks
Re: WMF Exploit 0-Day
« Reply #65 on: January 04, 2006, 01:09:57 AM »
In answer to my own question, changing a valid .wmf file to a .jpg results in an error.

So for this to work the exploited .wmf file I assume must remain a .wmf file or the file associations won't work correctly, so no execution of exploit code.

However, SnagIt took a little time and it recognised what file type (rather than a .jpg it was and opened it. So if the generic is only looking at file extensions, which I hope not, then it could in some circumstances work with a changed file type.
« Last Edit: January 04, 2006, 01:16:13 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: WMF Exploit 0-Day
« Reply #66 on: January 04, 2006, 09:50:03 AM »
The detection itself doesn't care for file extensions - it's just that Standard Shield does.
If a viewer recognizes the WMF format by its content, it doesn't really matter what extension you use for the file. So, to prevent any possible loading, Standard Shield would have to scan every possible file. We believe this would be unnecessary overkill (slowing down the computer significantly), because:
1. Both Web Shield and mail providers should scan every received file by default
2. Standard Shield now scans created WMF files by default
So, the infected WMF file should not get to you computer unnoticed (unless it's already there).

However, you are certainly free to make Standard Shield scan all the files by putting * to the "Scan files on open" mask box.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: WMF Exploit 0-Day
« Reply #67 on: January 04, 2006, 05:18:23 PM »
Dear Forum Folks,

Latest news from Belgium, all that like to uninstall the Ilfak WMF Hotfix for one reason or other, or before downloading the official Microsoft patch due for Jan 10th, do this by going to C:\Program Files\Windows MetafileFix\inins000.exe.

greets,

Polonus
« Last Edit: January 04, 2006, 06:21:48 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89006
  • No support PMs thanks
Re: WMF Exploit 0-Day
« Reply #68 on: January 04, 2006, 05:26:32 PM »
It should also in the Add Remove programs list as Windows WMF Metafile Vulnerability Hotfix 1.x
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Data_Pirate

  • Guest
Re: WMF Exploit 0-Day
« Reply #69 on: January 05, 2006, 08:47:03 AM »
looks like somebody beat everybody to blocking it...i found this article at: http://www.pctools.com/news/view/id/123/


Quote
PC Tools issues immediate solution to the Microsoft Windows Metafile (WMF) security flaw

Exploit Guard is currently being added to all computers using Spyware Doctor

SAN FRANCISCO, Jan. 04, 2006 – PC Tools, creator of award-winning spyware removal and real-time protection software, has created and started distributing Exploit Guard, a new feature in Spyware Doctor that protects against threats exploiting the dangerous Microsoft Windows (WMF) vulnerability which was revealed by security researchers and confirmed by Microsoft on Dec. 28.

Microsoft announced plans to release a patch on January 10. Until then, all versions of Windows are at risk from the WMF defect which compromises the security of users worldwide.

"Criminals are already taking advantage of this security defect to install additional malicious spyware and malware onto computers," said Simon Clausen, CEO of PC Tools. "When our R&D team spotted the WMF vulnerability, they developed a solution to guard our users from hackers and other individuals looking to exploit the flaw."

Spyware Doctor users automatically receive protection against the Windows Metafile (WMF) vulnerability as Exploit Guard is delivered to them through the product's real-time update capability. Users who do not run the real-time anti-spyware protection continuously are at risk for this vulnerability as well as other threats.

note: i'm not trying to advertise, this is just a bit of a news update

WDGC

  • Guest
Re: WMF Exploit 0-Day
« Reply #70 on: January 05, 2006, 10:20:21 PM »
MS WMF fix download available now.


Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Published: January 5, 2006

Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None

http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: WMF Exploit 0-Day
« Reply #71 on: January 05, 2006, 10:20:43 PM »
Hi Data-Pirate,

The official patch due for Jan 10th was already achieved by Dec 28th last, and most certainly has an altered gdl32.dll. Observers say that the official and unofficial patch may be identical. Anyway testing and translating the patch takes time. What can the bad guys do with WMF in the meantime? Read here:
http://isc.sans.org/diary.php?storyid=1016

Anyway, MSN beat me to it, nice to read that for Win98 Unofficial SP2 the flaw is not critical, I knew already from Ilfak's checktool.


greets,

polonus
« Last Edit: January 05, 2006, 10:25:05 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

WDGC

  • Guest
Re: WMF Exploit 0-Day
« Reply #72 on: January 05, 2006, 10:29:47 PM »
The official patch due for Jan 10th

See my post above. MS WMF fix now available.

.

mouniernetwork

  • Guest
Re: WMF Exploit 0-Day
« Reply #73 on: February 01, 2006, 09:46:31 PM »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89006
  • No support PMs thanks
Re: WMF Exploit 0-Day
« Reply #74 on: February 01, 2006, 11:09:15 PM »
Your good news is very old (5/1/2006) and the patch is covered in this thread three posts up and it only covers XP as previously stated
Quote
System Requirements

    * Supported Operating Systems: Windows XP Service Pack 2
    * Windows XP Service Pack 1

So no official patch for Win98, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security