how-to block ads
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
 ·AT&T Southwest
1 edit | reply to jp10558
Re: Windows MetaFiles still vulnerable
I just sent Red a PM asking him to check that very thing using InfranView.
This is what was said by F-Secure here:
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first. | |
jp10558
Premium
join:2005-06-24
Willseyville, NY
| So, if I go to such a page, I'll get a prompt about viewing the picture, and if I say no, no problem... So there's no vulnerability just in seeing images on a web page, it has to launch Windows Picture and Fax viewer?
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 3;Proxomitron 4.5j Grypen 12/2/05(Opera mod),GPG ID:0x0A1C6EE3 | |
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| From SANS today:
The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on »www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.
Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.
While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.
********************************
I know of some guys who downloaded the file "wmf_exp.wmf" to further investigate it. | |
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | reply to jbob
I installed Irfanview. It executed in the Thumbnail viewer of Irfanview, and when trying to open it it executed before I could select it in the Open dialog (and thumbnails weren't enabled).
Again, it's clear to me it's not going to execute with SYSTEM otherwise the limited account would also have been owned.
explorer.exe 964 ntdll.dll, kernel32.dll, msvcrt.dll,
ADVAPI32.dll, RPCRT4.dll, GDI32.dll,
USER32.dll, SHLWAPI.dll, SHELL32.dll,
ole32.dll, OLEAUT32.dll, BROWSEUI.dll,
SHDOCVW.dll, CRYPT32.dll, MSASN1.dll,
CRYPTUI.dll, WINTRUST.dll, IMAGEHLP.dll,
NETAPI32.dll, WININET.dll, WLDAP32.dll,
VERSION.dll, UxTheme.dll, ShimEng.dll,
AcGenral.DLL, WINMM.dll, MSACM32.dll,
USERENV.dll, comctl32.dll, comctl32.dll,
appHelp.dll, CLBCATQ.DLL, COMRes.dll,
cscui.dll, CSCDLL.dll, themeui.dll,
Secur32.dll, MSIMG32.dll, xpsp2res.dll,
actxprxy.dll, LINKINFO.dll, ntshrui.dll,
ATL.DLL, WINSTA.dll, webcheck.dll,
WSOCK32.dll, WS2_32.dll, WS2HELP.dll,
stobject.dll, BatMeter.dll, POWRPROF.dll,
SETUPAPI.dll, WTSAPI32.dll, wdmaud.drv,
msacm32.drv, midimap.dll, NETSHELL.dll,
rtutils.dll, credui.dll, iphlpapi.dll,
urlmon.dll, rsaenh.dll, browselc.dll,
MPR.dll, MRxVPCNP.dll, vmsrvc.dll,
drprov.dll, davclnt.dll, DUSER.dll,
MSGINA.dll, ODBC32.dll, comdlg32.dll,
odbcint.dll, MLANG.dll, SAMLIB.dll,
shimgvw.dll, gdiplus.dll, rarext.dll,
shellex.dll, shdoclc.dll, NTMARTA.DLL
Still in SP2 fully updated and SP1 without any further patches it dies in a limited account. | |
prana
join:2005-03-22
Australia
4 edits | The exe file it downloads... cj.exe
Take this with a grain of salt, this is from a 5 minute disassembly and not detailed. Will do that later when I have more time. Or leave it for the Anti-virus companies 
WMF exploit has not got a standard Magic Byte
01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 �. ..�R�..�.=...
non standard magic byte of D7 CD C6 9A
The trojan file has two entry points, one for the DLL and one for the PE section. The PE entry point has the following characteristics.
Grabs local time.
Checks for Windows Internet Connectivity
Copies itself into multiple DLLs in System32, dvob.dll, oewrgm.dll, sh.dll, wqxk.dll.
Registers CLSID to run as a BHO
Opens FTP connection to download a file 66.36.231.141 with
username user21 ,
FTP username password user21:ma5gjdH5
Adds the registry name for the below classes
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object
The following keys are added in the CLSID classes.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03c02f31-a63c-440a-ae37-ac9282f01af7}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67269857-3057-42f4-9233-f9c2abb59953}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cde6d49d-a863-4d07-aec3-7d83b5ab7ce5}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bda45f3-735e-4df8-90e9-2c68ed2567b6}\InProcServer32
Appends subkeys to CLSID "Apartment" with a valuename of ThreadingModel to the DLLs Grabs filename of the exe file.
Creates mutex name "3094flcxvdf"
The FTP site!
C:\>ftp 66.36.231.141
Connected to 66.36.231.141.
220 sst
User (66.36.231.141:(none)): user21
331 Password required for user21.
Password:
230 User user logged in.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
226 Transfer ok
ftp> pwd
257 "/" is current directory.
ftp> ls -la
200 Port command successful.
150 Opening data connection for directory list.
226 Transfer ok
ftp>
The following files are created in your system32 dir
dvob.dll
oewrgm.dll
wqxk.dll
sh.dllin the particular sample I tested... which are copies of the trojan downloaded with a different filename for the alternative entry point for the binary
edited: some updated info | |
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| According to Sunbelt Blog: »sunbeltblog.blogspot.com/2005/12···ild.html
it's up to over 50 variants and counting now. More sites are popping up too. Earlier I had seen some guys who downloaded a different file. | |
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| reply to redxii
Thanks, you're the heat! But you kinda lost me a bit.
I am not sure whether the trojan executed while using InfranView or not? You seem to say it did but it was unclear. I'm assuming that the exploitable dll file "shimgvw.dll" was not called by InfranView so the exploit didn't happen and only happens in the instance of using explorer and Picture and Fax viewer?
As you mentioned another good reason to only run as Admin when necessary! Now if I would learn! lol | |
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
1 edit | reply to jbob
said by jbob  :it's up to over 50 variants and counting now. More sites are popping up too. The number of websites seem bloated. There are many websites, but many more call out to a "master" website. You may get it from site 1, 2, 3, 4, and 5 but all those others get the exploit code from say site 4.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool. | |
|
