Author Topic: WMF Exploit 0-Day  (Read 58906 times)

0 Members and 1 Guest are viewing this topic.

Offline Omar

  • Sr. Member
  • ****
  • Posts: 254
Re: WMF Exploit 0-Day
« Reply #15 on: December 29, 2005, 08:45:46 PM »
I'd recommend avast! users to take advantage from Web Shield by using URL Blocking to block all *.wmf files.

I think it would be good if Alwil releases signature of this exploit so Web Shield should protect us well by scanning HTTP traffic in real time.



Ahhh, but it will run even if the swf is renamed as a gif or jpg. Unless avast actually checks the file headers rather than the extension?

Offline Steele

  • Full Member
  • ***
  • Posts: 199
  • I won't bite too hard!
    • A World Beyond Imagination!
Re: WMF Exploit 0-Day
« Reply #16 on: December 30, 2005, 09:24:27 AM »
Microsoft Security Advisory (912840)

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005

Microsoft is investigating new public reports of a possible vulnerability in Windows.
Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Mitigating Factors:

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.

[li]Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.


http://www.microsoft.com/technet/security/advisory/912840.mspx
"A man can tell a thousand lies, I’ve learned my lesson well, Hope I live to tell the secrets I have learned, till then, It will burn inside of me..."

Offline ourasi

  • Newbie
  • *
  • Posts: 9
  • I'm a llama! And proud of it?
Re: WMF Exploit 0-Day
« Reply #17 on: December 30, 2005, 10:01:19 AM »
I tested this exploid on one site with following result (Avast log):

30.12.2005 2:28:57 SYSTEM 248 Sign of "Win32:Exdown [Trj]" has been found in "http://www.  tfcco.  com / xpl. wmf" file. 

My Avast (29.12.2005 0552-2) stopped loading this file.  :)

If course I had first un-registered the Windows Picture and Fax Viewer (Shimgvw.dll)
with Run "regsvr32 -u windir%\system32\shimgvw.dll"
 

Offline TAP

  • Sr. Member
  • ****
  • Posts: 201
  • I'm a llama!
Re: WMF Exploit 0-Day
« Reply #18 on: December 30, 2005, 10:18:45 AM »
I'd recommend avast! users to take advantage from Web Shield by using URL Blocking to block all *.wmf files.

I think it would be good if Alwil releases signature of this exploit so Web Shield should protect us well by scanning HTTP traffic in real time.

Ahhh, but it will run even if the swf is renamed as a gif or jpg. Unless avast actually checks the file headers rather than the extension?

avast! has signature of this exploit and also scans HTTP traffic in real time (it scans almost all files downloaded via browser). If I'm not wrong, other graphic file type are scanned except *.gif, *.png but you can remove these two file type from Exception lists in Web Shield so it should also be scanned.

Offline Sgt.Schumann

  • Jr. Member
  • **
  • Posts: 72
  • Men of the '303'
Re: WMF Exploit 0-Day
« Reply #19 on: December 30, 2005, 06:35:29 PM »
The removement of the exceptions in WebShield for the two IMAGE types is a good idea.  I already did this.

Isn't it possible, that this could be done via a Avast!-Update, because a lot of users might not think about it?

Wouldn't it also be recommended to add the image formats to the list of scanned extensions of Standard Shield (WMFs might also come from other sources)?  ???


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: WMF Exploit 0-Day
« Reply #20 on: December 30, 2005, 06:40:39 PM »
Wouldn't it also be recommended to add the image formats to the list of scanned extensions of Standard Shield (WMFs might also come from other sources)?  ???
When it becomes active, won't the process be an executable, a script, etc. that will be scanned by the Standard Shield?
I mean, the *.gif or *.wmf by themselves are inocuous, aren't they? Only when the infected process start it will be catched by Standard Shield.
Am I wrong?
The best things in life are free.

Offline wishiknew

  • Jr. Member
  • **
  • Posts: 29
  • I am what I am.
Re: WMF Exploit 0-Day
« Reply #21 on: December 30, 2005, 09:33:33 PM »
http://www.eweek.com/article2/0,1895,1907131,00.asp

Cool for Avast in detectin the 73 variants so far.

http://www.kaspersky.com/faq?qid=176830011

On the other hand, why does Kaspersky need
.exe patches to their av.  Change the default to scan
wmf maybe?

Offline Data_Pirate

  • Newbie
  • *
  • Posts: 8
  • Quickly! Protect your booty from the data pirates!
    • The Avast Homepage
Re: WMF Exploit 0-Day
« Reply #22 on: January 02, 2006, 06:02:37 AM »
this is a news update. apparently avast! cannot protect us just by doing this! (removing shimgvw.dll) i found this in an article:

Quote
New exploit
On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.

Note: We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running.

The exploit generates files:

* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer

From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.
Infection rate
McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.
Yellow
Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.
UNofficial patch
We want to be very clear on this: we have some very strong indications that simply un-registering the shimgvw.dll isn't always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

For those of you wanting to try an unofficial patch with all the risks involved, please see here. (md5 99b27206824d9f128af6aa1cc2ad05bc)
Initially it was only for Windows XP SP2. Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.

Note: Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it.

Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. Mr. Guilfanov did a great job with this ...

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind.
Please do back out these unofficial patches before applying official patches from Microsoft.
Belt and suspenders
There is possibility to do the proven belt and suspenders approach here. Using the unofficial path and using the workaround from Microsoft together. Just remember to unto the damage done before applying any official patch for this vulnerability.
New Snort signatures
We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point.
http://www.bleedingsnort.com/...

Frank also restated some warnings:

There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).
One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.
So we're between a rock, a solid surface, and a hard place. The exploits are web based, yet the signature will fail with http_inspect enabled. With it disabled, Snort will miss all rules containing uricontent and pcre/U statements. With it enabled, and flow_depth set to 0, Snort will alert on the exploit, but also process all uricontent rules in such a fashion that its CPU utilization is skyrocketing.
The only viable solution at this point is to run two instances of Snort. One with your normal set of rules and http_inspect enabled with either the default or "sane" values for flow_depth. The second instance should run with http_inspect disabled or flow_depth set to 0 (in the appropriate http_inspect_server config line), and process only rules that have to cover a larger than 300 byte area for content matches on ports configured in http_inspect. This two-pronged approach assures that Snorts performance is kept at normal levels, preventing packet loss.
Overview
A chronological overview of all WMF related articles on this site.
Thanks

Thanks to all handlers working on this today, especially Lorna, Tom, Kevin, Jim, Scott and all those I forgot. This was a cooperative effort.

Wishing all windows machines, their users, owners and administrators a happy New Year, with a bit fewer nasty exploits.

the article can be found here: http://isc.sans.org/diary.php?rss&storyid=992 (SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System)
« Last Edit: January 02, 2006, 06:04:45 AM by Data_Pirate »

Offline WDGC

  • Jr. Member
  • **
  • Posts: 42
Re: WMF Exploit 0-Day
« Reply #23 on: January 02, 2006, 06:51:36 AM »
F-Secure update:

Monday, January 2, 2006
It's not a bug, it's a feature    Posted by Mikko @ 04:13 GMT

Quote
"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

.

Offline NonSuch

  • Newbie
  • *
  • Posts: 15
  • I'm a llama!
Re: WMF Exploit 0-Day
« Reply #24 on: January 02, 2006, 08:50:04 AM »
I installed Ilfak's patch yesterday, I've set rules in my firewall, I'm using URL Blocking for *.wmf files, and I'm being very, very careful.  That's on my XP system.  My Win 98 system will remain disconnected from the internet until there's a patch available for that OS. 

 

Offline Data_Pirate

  • Newbie
  • *
  • Posts: 8
  • Quickly! Protect your booty from the data pirates!
    • The Avast Homepage
Re: WMF Exploit 0-Day
« Reply #25 on: January 02, 2006, 09:11:38 AM »
i would say the safest things to do right now are:

-to be careful on what sites you go onto
-use a different browser instead of IE (like firefox)
-avast! users should use WMF blocking and keep their vps updated
-configure your firewall to block all images (or just WMF ones if it has that option)
-keep an eye out for any new windows security updates
-watch for any news on the exploit

it's all common sense in security really
« Last Edit: January 02, 2006, 09:43:01 AM by Data_Pirate »

Offline Proteus93

  • Newbie
  • *
  • Posts: 10
Re: WMF Exploit 0-Day
« Reply #26 on: January 02, 2006, 10:15:41 AM »
I've been using Avast! for nearly a couple of years now, and it has proven itself to be a fantastic AV. I've been especially appreciative of the way it goes about protecting email systems, since part of my duties for my job include having the network's email routed here (which is also my home personal computer). The only problem I ran into was when the last Sober variant came out, and it absolutely flooded my inbox. Because I knew pretty much all of the subject lines, I began turning off Avast! when I'd open up the inbox (having it individually scan hundreds of mail first thing in the morning was rather time consuming. Unfortunately, it was still off when I was hit with this exploit. Mind you, it wouldn't have helped a great deal, because my machine was infected in the early morning hours of Dec. 27 (starting at about 1:38 AM EST). I had the red X appear in my system tray with the whole "Spyware has been detected!" warning, and thought, "That's odd... I have the MS Security Center disabled"... immediately after, it dawned that something was wrong.

So... I clicked to restart the AV, and was immediately met with:

Sign of "Win32:Hoaxalarm-K [Trj]" has been found in "C:\WINDOWS\tool2.exe" file. 
Sign of "Win32:Trojano-3110 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\OD6Z8L2V\child[1].exe" file. 
Sign of "Win32:Trojano-3110 [Trj]" has been found in "C:\DOCUME~1\PROTEU~1\LOCALS~1\Temp\6BC.tmp" file. 
Sign of "Win32:Trojano-3144 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\SDAZ05U7\adtech2006a[1].exe" file. 
Sign of "Win32:Trojano-3144 [Trj]" has been found in "C:\windows\adtech2006a.exe" file. 
Sign of "Win32:Qoologic-AB [Trj]" has been found in "C:\WINDOWS\system32\wuauclt.dll" file. 
Sign of "Win32:Qoologic-AB [Trj]" has been found in "C:\WINDOWS\system32\wuauclt.dll" file. 
Sign of "Win32:Qoologic-Z [Trj]" has been found in "C:\WINDOWS\system32\vgactl.cpl" file. 
Sign of "Win32:Qoologic-Z [Trj]" has been found in "C:\WINDOWS\system32\vgactl.cpl" file. 
Sign of "Win32:Qoologic-AA [Trj]" has been found in "C:\DOCUME~1\PROTEU~1\LOCALS~1\Temp\f629807835.exe" file. 
Sign of "Win32:Tsupdate-J [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\OD6Z8L2V\stub_113_4_0_4_0[1].exe" file. 
Sign of "Win32:Trojano-2873 [Trj]" has been found in "C:\Documents and Settings\Proteus93\Local Settings\Temporary Internet Files\Content.IE5\4TUNG96F\MTE3NDI6ODoxNg[1].exe" file.
Sign of "Win32:Trojano-2873 [Trj]" has been found in "C:\MTE3NDI6ODoxNg.exe" file. 
Sign of "Win32:Trojano-3173 [Trj]" has been found in "C:\program files\common files\microsoft shared\web folders\ibm00001.dll" file. 
Sign of "Win32:Runner [Trj]" has been found in "C:\WINDOWS\system32\pgws.exe" file. 
Sign of "Win32:Trojano-3173 [Trj]" has been found in "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll" file. 
Sign of "Win32:Trojano-1152 [Trj]" has been found in "C:\Program Files\Common Files\VCClient\SS1001.exe" file. 

All of this seemed to be a result of the exploit, in which time, I was also starting to get a popup of WebSheriff installing and so forth... some Sudoku thing was appearing as well, among other things. Too little, too late. Netstat started showing signs of multiple connections via SMTP and I was getting a load of connections attempting through port 8558. Then Avast! started up with that "Connection timed out" message... over and over and over. Hundreds of these things were showing up, heavily enough that they were effectively DDOSing my machine. Through netstat -b, I was told that it was svchost responsible for all of the traffic, and no specific programs were making the connections, making it impossible for me to track down a simple offending process and destroy it.

All in all, I ended up spending the entire day of the 27th fighting with the machine, disconnected from the web, and having to use another machine to browse for troubleshooting... of course, since it was a 0-day, I was finding squat. By the end of the day, using a combination of anti-spyware programs and some digging through my machine to get it all out (I think I got it all, at least). Anyways, congrats on having excellent coverage on the problem now. I've gone back to just letting it scan through all of the email so I don't forget to turn it back on again. That leads me to the question, though - is there any possibility of a feature to have Avast! simply delete viruses and worms it finds in email instead of having the big popup each time that requires me to hit delete and select delete again when given the second window regarding scanning at start-up if necessary? Not a default feature that just does it, but rather, a setting in the program that allows me to simply tell it to do so, and to always perform the same action each time? That would be fabulous.

Apologies on the long, rambling post... and cheers.
P93

Offline Cloussau

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 897
  • AVAST! antivirus with balls
Re: WMF Exploit 0-Day
« Reply #27 on: January 02, 2006, 12:18:57 PM »
Hi and welcome proteus,
i think what you are looking for is "silent mode" in the advanced settings of mail provider .still not completely hands free but much reduced.



 does your post have anything to do with the original topic of this thread?? ::)
if not why didnt you start a fresh one??
sys- p4  3.0D ,  1024mb ddram ;arsenal :Avast IS 5.0 pro / Firefox / adblock /noscript : win xp/pro/sp3 32 bit

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re: WMF Exploit 0-Day
« Reply #28 on: January 02, 2006, 02:17:12 PM »
That leads me to the question, though - is there any possibility of a feature to have Avast! simply delete viruses and worms it finds in email instead of having the big popup each time that requires me to hit delete and select delete again when given the second window regarding scanning at start-up if necessary? Not a default feature that just does it, but rather, a setting in the program that allows me to simply tell it to do so, and to always perform the same action each time? That would be fabulous.
This is only fully possible in Professional version (see picture here: http://forum.avast.com/index.php?topic=13315.msg112285#msg112285).

In Home version you can check the option "Don't show this window again" as soon as the first virus warning appears, and click on "No action" button. This way, nothing will be done and you will be presented the results at the end (and you can perform actions from there).

Or you can use Silent Mode:

Left click the 'a' blue icon.
It will start On-access protection

Click on Internet Mail and then on Customize.
Go to Advanced tab and select Silent Mode and the default answer No. This will send the file (email) to Chest.

Do the same for the and Outlook/Exchange plugin.
The answer Yes in Silent Mode keeps the virus in the file or into the message (attach) and continue the scanning. You can't configure 'delete the infected file' in the Home version.

You can do the same for Standard Shield provider, but it won't be a good idea...

Silent mode in the case of the WebShield provider simply means that avast will keep pressing the "Abort connection" button for hte user automatically.
The best things in life are free.

Offline Riker

  • Jr. Member
  • **
  • Posts: 26
  • The Star`s the Limit
Re: WMF Exploit 0-Day
« Reply #29 on: January 02, 2006, 08:58:55 PM »
Maybe someone from Anvil can look at this Virus - Test-Sample from http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=wmf

Mail-Scanner and On-Access don`t detect this.

And on http://virusscan.jotti.org/ only Kaspersky, Bitdefender and 2 others detect this.

Carsten
MCSA