jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
 ·AT&T Southwest
| reply to mysec
Re: Windows MetaFiles still vulnerable
So after browsing the site the Windows Picture and Fax Viewer starts on it's on? Guess it really doesn't matter since even if the default viewer is changed the infection still occurs.
What is it you are using that blocked the xxx.exe. I don't recognize the gui dialog. |
|
matunga
join:2003-07-26
3 edits | reply to badd
DEP enabled for all programs has blocked it. |
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
 ·AT&T U-Verse
1 edit | said by matunga  :DEP enabled for all programs has blocked this [LINK REMOVED] Is that a test or a real-live exploit?
--
WedgeAntilles250
Tom's Rant |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| reply to jbob
said by jbob :since even if the default viewer is changed the infection still occurs. WAIT---please someone answer this: if we do the unregistration of windows picture viewer thing (which has totally broken any quick previewing of ALL graphic files, not just .wmf; now i have to wait for psp or photoshop to load just to check a .jpg), that still doesn't protect us?
and would just changing the default for .wmf from picture viewer to, say, photoshop protect us without the unregistration?
this is VERY murky to me. i am not happy not being able to quickly preview my jpgs and gifs, and never view wmfs so just making it impossible to view wmfs would be a good solution for me. but there seems to be differing opinions about what's needed (besides a good patch from ms.)
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
1 edit | I think you're ok gracie. Red tried it with InfranView set as the default viewer and the infection still occured but that was before the affected .dll file was unregistered. So far it seems that .dll is the key. Without it or admin privileges there is no threat. So far!
I wish somebody would just release a hacked .dll file. lol |
|
gracie
Geek Goddess
Premium
join:2003-07-15
confusion
| said by jbob : with InfranView set as the default viewer...the infection still occured but that was before the affected .dll file was unregistered. thanx! so the unregistration is still necessary, then. rats. but advising all to do it. i'll just have to live without a quickie preview function. no real biggie.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
jmwicks
join:2003-02-11
Richmond, VA
| reply to gracie
said by gracie :WAIT---please someone answer this: if we do the unregistration of windows picture viewer thing (which has totally broken any quick previewing of ALL graphic files, not just .wmf; now i have to wait for psp or photoshop to load just to check a .jpg), that still doesn't protect us? You are protected from being attacked just by previewing a wmf or viewing a wmf in IE.
said by gracie :and would just changing the default for .wmf from picture viewer to, say, photoshop protect us without the unregistration? I don't believe so. You would still be vulnerable when you preview exploited wmf's.
said by gracie :this is VERY murky to me. i am not happy not being able to quickly preview my jpgs and gifs, and never view wmfs so just making it impossible to view wmfs would be a good solution for me. but there seems to be differing opinions about what's needed (besides a good patch from ms.) This is only a quick fix for now. A patch *should* be released within a couple days.
Here is the complete workaround for those confused, I'd do at least 1 & 2: »sunbeltblog.blogspot.com/2005/12···oit.html |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| reply to redxii
And this today from Kapersky Labs viruslist weblog:
»www.viruslist.com/en/weblog?webl···76771047
As I'm sure you've heard by now, attackers are taking advantage of an unpatched vulnerability which gets exploited by .wmf files.
Dozens of sites are already hosting malicious .wmf files. In addition to this, the sites are distributing so called 'anti-spyware applications' (which require the infected user to pay) and other malware, such as Trojan -Spy.Win32.Small.ee, which isn't directly related to these applications.
Naturally we've been doing some research on this vulnerability and we've come up with some interesting findings.
At first glance it seems that hardware-based Data Execution Protection, which is available only with XP/SP2 on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, prevents successful exploitation of the vulnerability.
We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs.
This shows that although HW DEP can help, it's by no means a solution.
Perhaps the most worrying thing about this whole issue is that NTFS rights have no effect on whether or not the vulnerability will be exploited.
Some people run under a limited user account (which among other things restricts NTFS rights). This may make people feel that they are protected from malware. In this case, nothing could be much further from the truth.
The attackers seem very well aware of this fact and have already released malware which will be downloaded and executed in a directory where a limited user has execution rights.
Our testing has also revealed that although Windows 2000 is not vulnerable by default, it is potentially vulnerable. If the Windows 2000 system has an image viewer which supports .wmf files installed, there's a high chance that the system will be vulnerable.
Image viewers like Irfanview and XnView rely on the vulnerable file to show .wmf files. Exploitation also successfully occurs on Windows 2000, with testing carried out on 2000/SP4 with all the latest patches.
The good thing however is that Internet Explorer will ask you (at least once) if you want to open or save the .wmf file instead of opening it by default.
WinXP Pro64 bit edition is also vulnerable. However, as all shellcode is written for IA32 processors the exploits won't work. Specific IA64 shellcode needs to be written for the exploit to work. The chances of this happening (on a large scale) is slim as only a small number of users run WinXP Pro64 bit edition.
We've released heuristic detection for malicious .wmf files which exploit the new vulnerability. Suspicious files will be detected as Exploit.Win32.IMG-WMF |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to redxii
So, pardon my confusion, are the following conclusions accurate?
From SecurityFocus:
If the exploit file is named with another graphics extension (i.e. .gif, .jpg, .png, .tif), the GDI library will still read it correctly as a WMF file and execute the exploit. As a result, all common graphics files can carry the exploit.
-David Byrne
From SecurityFocus:
The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never explicitly opened. This is enough to trigger the exploit. Even more frightening is that you don't have to use the thumbnail view for a thumbnail to be generated. Under some circumstances, just single-clicking on the file will cause it to be parsed.
-David Byrne |
|
Schouw
Premium
join:2003-05-29
Netherlands
| said by SUMware :So, pardon my confusion, are the following conclusions accurate? From SecurityFocus: If the exploit file is named with another graphics extension (i.e. .gif, .jpg, .png, .tif), the GDI library will still read it correctly as a WMF file and execute the exploit. As a result, all common graphics files can carry the exploit. -David Byrne For windows explorer this seems correct, for internet explorer this doesn't seem correct.(IE tries to parse itself)
From SecurityFocus: The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never explicitly opened. This is enough to trigger the exploit. Even more frightening is that you don't have to use the thumbnail view for a thumbnail to be generated. Under some circumstances, just single-clicking on the file will cause it to be parsed. -David Byrne
--
Not speaking for Kaspersky Lab |
|
mysec
Premium
join:2005-11-29
3 edits | reply to jbob
Blocking the dropper from executing |
said by jbob :What is it you are using that blocked the xxx.exe. I don't recognize the gui dialog. ------ And this today from Kapersky Labs viruslist weblog: "This shows that although HW DEP can help, it's by no means a solution." The program is Anti-Executable. I'm not sure how DEP anti-execution is supposed to work, but AE creates a white list of all installed executables and blocks any others from running. So, as the ioo.exe dropper attempted to execute, it was blocked, as shown in the screen shot.
Here is a look at how the unionseek.com exploit runs:
unionseek.com test
|
|
Libra
Premium
join:2003-08-06
USA
1 edit | reply to redxii
I used start>run regsvr32 /u shimgvw.dll and received a successful message. I just looked in My Documents>File types and it shows WMF opens with Windows Picture and Fax Viewer.
If I unregistered it, shouldn't that not appear in File Types?
EDIT:  I just tried to open a .jpg with Windows Picture and Fax Viewer and nothing happened. So it's unregistered.
Sincerely, Libra |
|
Schouw
Premium
join:2003-05-29
Netherlands
| reply to mysec
said by mysec :said by jbob :"This shows that although HW DEP can help, it's by no means a solution." The program is Anti-Executable. I'm not sure how DEP anti-execution is supposed to work, but AE creates a white list of all installed executables and blocks any others from running. So, as the ioo.exe dropper attempted to execute, it was blocked, as shown in the screen shot. DEP prevents the buffer overflow from actually taking place, unlike your method.
Btw, the blogpost was edited with info as to why for instance irfanview and xnview go 'undetected' for HW DEP.
--
Not speaking for Kaspersky Lab |
|
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
·AT&T U-Verse
| said by Schouw :Btw, the blogpost was edited with info as to why for instance irfanview and xnview go 'undetected' for HW DEP. Where is that?
--
WedgeAntilles250
Tom's Rant |
|
Schouw
Premium
join:2003-05-29
Netherlands
| said by trparky :said by Schouw :Btw, the blogpost was edited with info as to why for instance irfanview and xnview go 'undetected' for HW DEP. Where is that? I was referring to »www.viruslist.com/en/weblog?webl···76771047
Btw, unregistering shimgvw.dll is nice, but not very effective if you use another imageviewer. I unregistered the dll file and then used Irfanview to view graphic files --> successful exploitation.
Contrary to popular belief shimgvw.dll is not the vulnerable file.
--
Not speaking for Kaspersky Lab |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| said by Schouw :Btw, unregistering shimgvw.dll is nice, but not very effective if you use another imageviewer. I unregistered the dll file and then used Irfanview to view graphic files --> successful exploitation.
Contrary to popular belief shimgvw.dll is not the vulnerable file.
That is interesting indeed and contrary to what most others are saying. Perhaps it was reregistered when adding InfranView as the default wmf viewer. Perhaps it doesn't need to be registered for InfranView to use it. Can you try renaming the .dll and see what happens? Make sure you get any multiples as well. |
|
SUMware
Premium
join:2002-05-21 | reply to Schouw
Thank you. |
|
Schouw
Premium
join:2003-05-29
Netherlands
1 edit | I even renamed all of them(and triplechecked that), the results remained the same: Exploited.
Edit: Forgot to mention that I also rebooted.
--
Not speaking for Kaspersky Lab |
|
SUMware
Premium
join:2002-05-21 | Very bad.
There appear to be subtilties to this that may not yet be fully appreciated nor anticipated. |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
2 edits | reply to Schouw
This is simply amazing. Does anyone really know wtf is going on? lol
Do we still know this is a Iframe exploit? If it's not the noted .dll then what is being exploited? Earlier tests showed that it didn't work when the user had less than admin privileges and now Kapersky says not so. Then unregistering the .dll will be a temp fix but now that looks not to be so.
Could this exploit be mutating?
Was just pointed to this:
http://www.kb.cert.org/vuls/id/181038
snipped.....
Current public exploits use the Windows Picture and Fax Viewer (SHIMGVW.DLL) as an attack vector affecting users of any Windows-based application that can handle Windows Metafiles. However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL).
I have read that it was covered but could someone test this while running BOClean to see if it indeed catches it? One of these days I'm gonna have to try out one of those VMs I keep reading about.  |
|
