Jump to content

SUBIECTE NOI
« 1 / 5 »
RSS
Intrerupator cu N - doza doar cu ...

Incalzire casa fara gaz/lemne

Incalzire in pardoseala etapizata

Suprataxa card energie?!
 Cum era nivelul de trai cam din a...

probleme cu ochelarii

Impozite pe proprietati de anul v...

teava rezistenta panou apa calda
 Acces in Curte din Drum National

Sub mobila de bucatarie si sub fr...

Rezultat RMN

Numar circuite IPAT si prindere t...
 Pareri brgimportchina.ro - teapa ...

Lucruri inaintea vremurilor lor

Discuții despre TVR Sport HD.

Cost abonament clinica privata
 

Windows WMF 0-day exploit

- - - - -
  • Please log in to reply
43 replies to this topic

#1
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit

Ca sa nu avem sarbatori linistite ...

Exploitul este in the wild. L-am intalnit ieri pe cateva site-uri.


Un site, care exploteaza aceasta vulnerabilitate din Windows Graphics Rendering Engine, vizitat cu browserul Internet Explorer deschide "Windows Picture and Fax Viewer" si instaleaza un trojan dropper.

Atentie !! Firefox nu este imun la acest exploit !

Solutie: nu vizitati site-uri suspecte pana la aparitia unui patch  :D , altceva nu-mi trece prin cap acum.

#2
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit - Update

Se pare ca Data Execution Prevention din Windows XP SP2 si Windows XP Tablet PC Edition 2005 poate bloca acest exploit.

Un motiv in plus sa instalati Service Pack 2.

Data Execution Prevention este activ by default in XP SP2.
(vezi mai jos cum se activeaza pentru toate programele si serviciile)


[later]
Symantec detecteaza exploitul ca Bloodhound.Exploit.56: http://securityrespo...exploit.56.html

McAfee il detecteaza ca Exploit-WMF: http://us.mcafee.com...&virus_k=137760
[/later]

Edited by Daisuke, 28 December 2005 - 19:29.


#3
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit - Update 2

Trei variante in the wild (F-Secure):
W32/PFV-Exploit.A, .B and .C.
http://www.f-secure....5.html#00000753

Firefox si Opera - e nevoie de confirmarea userului pentru a deschide fisierul care contine exploitul. Dar alte programe deschid fisierul fara interventia userului.

Alte detalii:
New exploit blows by fully patched Windows XP systems

Solutii provizorii:
1. Update semnaturile AV si pastrati-le up-to-date
2. Disable indexarea fisierelor WMF pe HDD (opriti Google Desktop sau alte programe care indexeaza fisiere)
3. Blogul F-Secure contine cateva site-uri care pot fi blocate (sunt insa mai multe decat cele de acolo, unele apar pe prima pagina la motoarele de cautare, asa ca mare atentie pe ce faceti click)

[later]
Pentru XP SP2 - enable Data Execution Prevention (DEP) pentru toate programele:
Click dreapta pe My Computer --> Properties --> Advanced --> Performance Settings --> Data Execution Prevention --> selectati Turn on DEP for all programs and services execpt those I select --> OK.
[/later]

Alte doua solutii provizorii propuse de sunbelt:
http://sunbeltblog.b...mf-exploit.html
A doua e chiar draguta  :P

Edited by Daisuke, 29 December 2005 - 01:17.


#4
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Un screenshot cu acest exploit.

Attached File  wmf_exploit.jpg   85.45K   245 downloads

[later]
De fapt in poza se "vad" doua fisiere WMF, unul made in Rusia si altul made in Poland (daca nu ma insel): pic.wmf si xpl.wmf care isi fac de cap simultan.
Au instalat pe langa SpySheriff, CoolWebSearch si o groaza de alte mizerii  :D .
[/later]

Edited by Daisuke, 29 December 2005 - 00:16.


#5
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit - Workaround

Microsoft a emis un "Security Advisory": http://www.microsoft...ory/912840.mspx

Produse afectate:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Workaround, pana la aparitia unui patch (ianuarie)
1. Un-register Shimgvw.dll
Start --> Run --> tastati regsvr32 -u %windir%\system32\shimgvw.dll --> OK --> OK.
Impact: Windows Picture and Fax Viewer nu va mai porni.

Pentru a re-inregistra DLL de mai sus la loc: regsvr32 %windir%\system32\shimgvw.dll

2. Windows XP SP2: enable DEP pentru toate programele (vezi mai sus).


-----------------------------------------------

SANS Internet Storm Center: Yellow Alert, de ieri, ora 19:07 GMT

SANS said:

We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.


#6
Alucard

Alucard

    Steven Hyde

  • Grup: Senior Members
  • Posts: 2,186
  • Înscris: 20.04.2004
Solutii:

http://www.microsoft...&displaylang=en   - pentru windows 2000 (trebuie sp4)

http://www.microsoft...&displaylang=en - pentru windows xp (trebuie sp1 sau sp2)

http://www.microsoft...&displaylang=en - pentru windows xp x64

http://www.microsoft...&displaylang=en  - pentru windows server 2003 (cu sau fara sp1)

http://www.microsoft...&displaylang=en - pentru windows server 2003 (itanium) (cu sau fara sp1)

http://www.microsoft...&displaylang=en - pentru windows server 2003 x64

#7
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Da, am vazut confuzii si in randul expertilor :)  cu toate ca toata lumea ii spune "0-day". Este o noua vulnerabilitate pentru care nu exista inca un patch. Linkurile de mai sus se refera la o vulnerabilitate mai veche.

Microsoft said:

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Graphics Rendering Engine in Microsoft Windows. This vulnerability affects the software that is listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
We are currently investigating the issue to determine the appropriate course of action for customers. We will include the fix for this issue in an upcoming security bulletin.


#8
Alucard

Alucard

    Steven Hyde

  • Grup: Senior Members
  • Posts: 2,186
  • Înscris: 20.04.2004
:) Scuze - se pare ca si eu am fost indus in eroare.

#9
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit - Kaspersky a trecut la treaba

Interesant ce zic pentru ca inca exista confuzie. Merge DEP sau nu ? Daca unregister shimgvw.dll am scapat sau nu ? etc.

Detalii aici: WMF vulnerability

Kaspersky said:

We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.

This shows that although HW DEP can help, it's by no means a solution.

Kaspersky said:

Perhaps the most worrying thing about this whole issue is that NTFS rights have no effect on whether or not the vulnerability will be exploited.

Edited by Daisuke, 29 December 2005 - 20:51.


#10
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit - Update - WMF exploit se extinde

Analistii se agita si  altii profita - eWeek

Another WMF (Windows Major Foul-Up) - eWeek

Exfol adware network a inclus exploitul in bannere publicitare - Sunbelt
Exploitul se gaseste nu numai pe site-uri porno sau warez / crack ci si pe cele care ofera wallpapers de exemplu.

Update on WMF exploit - Spyware Confidential

Microsoft Security Advisory (912840) - Update 30.12.2005

#11
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit - Update

Cateva cuvinte de la Microsoft Security Response Center:
http://blogs.technet.../30/416694.aspx

MSRC Blog said:

Since earlier this week, my team has been hard at work investigating this vulnerability. We take situations such as this one very seriously.  

We are aware of publicly released, detailed exploit code that could be used to exploit this vulnerability.     Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted WMF image on a malicious Web site.   We have determined that an attacker would have no way to force users to visit such a malicious Web site. Instead, an attacker would have to persuade someone to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

We have been asked a number of times whether this vulnerability can be exploited via email.  I want to be very clear in the response so all users can understand the situation. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

si

MSRC Blog said:

Right now, we are working very closely with our anti-virus partners and aiding law enforcement with its investigation. We continue to recommend that customers follow our security guidance, including being careful where you browse, never accepting email attachments from unknown senders, keeping your anti-virus software up to date, enabling a firewall and staying current on security updates.


Cat de eficienta e protectia AV contra acestui exploit ?
R: Mai mult e ...
Am folosit F-Secure care poate detecta toate cele 50 si ceva de variante existente pana acum.
A identificat fisierul WMF.
Attached File  wmf_exploit.gif   43.77K   105 downloads

A zis ca l-a sters (nu-l poate dezinfecta de vreme ce e identificat euristic)
Attached File  wmf_2.gif   40.91K   75 downloads

Da amicul PIC.WMF e bine mersi in browser cache.
Attached File  wmf_3.gif   22.9K   84 downloads

Anyway, cu un XP SP1, fara nici un patch, cu un firewall si AV nu m-am trezit cu malware instalat.

Good luck :).

#12
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit - Update

Ultimul update anul asta  :D .

Azi a aparut primul vierme care exploateaza vulnerabilitatea.
More on WMF exploitation - Kaspersky.

A aparut si un workaround elegant, numai pentru XP SP2 / XP 64.
De asta imi plac mie rusii  :P
Windows WMF Metafile Vulnerability HotFix

F-Secure spune despre Ilfak Guilfanov:

F-Secure said:

Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.
Ilfak to the rescue!

Have fun ! :)

#13
Monitoxus

Monitoxus

    Back!

  • Grup: Senior Members
  • Posts: 7,184
  • Înscris: 26.11.2001

 Daisuke, on Dec 31 2005, 19:16, said:

Windows WMF 0-day exploit - Update

Ultimul update anul asta  :D .

Have fun ! :)

Felicitari pt. efortul depus  :coolspeak:

#14
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Nou exploit - Yellow Alert

Mda, baietii rai nu stau degeaba. Un nou exploit pentru vulnerabilitatea WMF a fost facut public.

Nu exista inca semnaturi AV care sa-l detecteze. Din cauza asta starea este YELLOW Alert.

Internet Storm Center said:

The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer

From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

Catalin said:

Felicitari
Thanks !

La multi ani everybody !  :)


[later]
Pe langa vestile proaste care vin si o veste mai buna: Hotfix-ul neoficial (Ilfak Guilfanov) merge acum pe XP SP2 / XP 64 / XP SP1 / W2K.

Trebuie sa stiti ca acest fix implica si riscuri. Nu stiu cat timp au avut sa-l testeze si daca l-au testat indeajuns. Aplicati-l daca stiti ce faceti !
http://isc.sans.org/...rss&storyid=992 - vezi "unofficial patch".

Rata infectiei cu exploitul aparut acum cateva zile (nu cel nou de azi): McAfee a anuntat ca 6% din clientii sai au fost infectati. (Sursa: SANS Internet Storm Center)
[/later]

Edited by Daisuke, 01 January 2006 - 03:04.


#15
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Windows WMF 0-day exploit - Noul WMF exploit confirmat in atacuri de tip spam

Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (un fisier WMF cu extensia .JPG)

Atasamentul face download la BackDoor-CEP.

SANS Internet Storm Center - WMF FAQ

Pe scurt, pe romaneste:

De ce este problema importanta ?

Vulnerabilitatea WMF foloseste imagini (cu extensia WMF) pentru a executa un cod. Codul va fi executat daca imaginea este vizualizata. In cele mai multe cazuri nu este nevoie de click. Chiar si imaginile stocate pe hard disk pot declansa exploitul. Vizualizarea unui folder in Windows Explorer poate declansa exploitul.
Daca v-ati infectat folositi in procesul de dezinfectie CCleaner pentru a goli TEMP si TIF folder.

E mai bine sa folosesc Firefox sau Opera vs. Internet Explorer ?

Internet Explorer va vizualiza imaginile fara avertisment. Noua versiune Firefox 1.5 va deschide o fereastra de dialog inainte de a deschide imaginea. Download Firefox 1.5 daca nu ati facut-o pana acum. Opera va deschide o fereastra de dialog inainte de a deschide imaginea.

Ce versiuni Windows sunt afectate ?

Toate. Mac OS-X, Unix, BSD nu sunt afectate.

Ce pot sa fac ca sa ma protejez ?

1. Microsoft nu a emis un patch inca. Un patch neoficial este insa disponibil. Patch-ul este testat si poate fi downlodatl aici: Windows WMF Metafile Vulnerability HotFix. Este recomandat sa nu faceti download la acest fisier de pe alte site-uri. Pe site-ul de mai sus il veti gasi mereu up-to-date.
Nota: daca ati instalat versiunea 1.1 / 1.2. nu este nevoie sa instalati 1.2 / 1.3 . Versiunile ulterioare fac doar instalarea posibila pe alte SO.
Nu uitati sa dezinstalati acest patch neoficial cand Microsoft va scoate un patch oficial. Dezinstalarea se face din Add\Remove Programs (Windows WMF Metafile Vulnerability Hotfix).
2. Un-register Shimgvw.dll , daca nu vreti sa va complicati manual aici exista un fix automat: Windows Metafile exploit mitigation by unregistering shimgvw.dll
3. Mentineti antivirusul up-to-date.

Cum poate ajunge un fisier WMF in PC-ul meu ?

Exista multe metode. Cele mai probabile: atasamente la e-mail, vizitarea unor site-uri web, mesageria instant (Yahoo Messenger, MSN Messenger, etc.).

Este suficient sa nu vizitez site-uri in care nu poti avea incredere ?

Ajuta, dar nu este suficient.

Daca am un firewall activat sunt protejat ?
Ajuta, dar poate fi insuficient.

Daca m-am infectat ce pot face ?
Microsoft ofera asistenta gratuita pentru clientii sai: Ajutor si asistenta de securitate pentru utilizatorii casnici.

+40 21 203 61 26 - Acest numar de telefon este destinat asistentei privind virusii si alte probleme de securitate (Microsoft Romania). Pentru alte tari vizitati aceasta pagina: MS Help & Support

Pentru dezinfectie folositi cel putin doua AV Online:
F-Secure Online Scanner
TrandMicro Online Scanner
Panda Active Scan
Kaspersky Online Scanner

Folositi programe serioase antispyware cu definitiile la zi: Ad-Aware SE Personal Edition 1.06

Daca v-ati infectat cu Smitfraud (Spy Sheriff, AntivirusGold, PSGuard Spyware Remover, Spy Trooper, SpyAxe, sau Security Toolbar) folositi acest program: SmitRem.

Daca v-ati infectat cu CoolWebSearch deschideti un nou topic aici: Antivirus & Security Forum si postati un log HiJackThis. Dezinfectia trebuie facuta intr-o anumita ordine cu anumite tool-uri, in functie de varianta CoolWebSearch.

Exista o varianta a exploitului WMF care face download la un backdoor care trimite spam. Daca observati un trafic internet intens si daca PC-ul merge din ce in ce mai greu, deconectati-va de la internet imediat ce ati facut download la toate programele necesare dezinfectiei.

Folositi CCleaner pentru a goli TEMP, TIF folder, recycle bin, etc.

Good luck ! Stay tuned  :)

Edited by Daisuke, 01 January 2006 - 20:46.


#16
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Patch pentru Kaspersky Antivirus 5.0

KAV 5.0 Windows products patched for .wmf vulnerability

Patch-urile sunt pentru:
Kaspersky Anti-Virus Personal 5.0.388 sau mai mare
Kaspersky Anti-Virus Personal Pro 5.0.388 sau mai mare
Kaspersky Personal Security Suite 1.1.53
Kaspersky Anti-Virus for Windows Workstations 5.0.225 sau mai mare
Kaspersky Anti-Virus for Windows File Servers 5.0.72

Acest patch permite scanarea in timp real si on-demand a fisierelor cu extensia wmf.

Dupa instalarea patch-ului trebuie facut update la semnaturi.

Detalii: Install the patch to scan Windows Meta File (WMF)

[later]
Instalarea patch-ului neoficial (Ilfak Guilfanov) (vezi detalii in posturile de mai sus)
1. Unele programe antispyware pot bloca instalarea patch-ului, pentru ca foloseste o cheie in Windows Registry care poate fi folosita si de malware.
In acest caz programul care blocheaza instalarea trebuie oprit temporar.

2. Dupa instalare este necesar un REBOOT.

3. Instalarea patch-ului poate crea si probleme.
Dezinstalarea se poate face din Add\Remove Programs.
Ca sa dezinstalati manual Hotfix-ul, folositi HiJackThis si fixati intrarea asta:
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
Reboot si stergeti fiisierul: C:\WINDOWS\system32\wmfhotfix.dll <-- acest fisier
[/later]

Edited by Daisuke, 02 January 2006 - 16:25.


#17
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Am mutat aici toate posturile in legatura cu acest exploit. Povestea nu pare sa se termine asa repede.

#18
Daisuke

Daisuke

    Moderator

  • Grup: Senior Members
  • Posts: 2,173
  • Înscris: 19.01.2004
Yellow alert in continuare.

Azi am auzit doar de un atac izolat.

F-Secure blog said:

Our colleagues and business partners at Messagelabs have stopped a very interesting WMF attack today.

A new WMF exploit file was spammed from South Korea to a targeted list of a few dozen high-profile email addresses.

The email urged recipients to open the enclosed MAP.WMF file - which exploited the computer and downloaded a backdoor from www.jerrynews[dot]com.

What makes the case really interesting was the cloak-and-dagger language used in the email which was spoofed to originate from US State Department's security unit.
Exploitul se gaseste in continuare pe multe site-uri porno si warez / crack.

Ilfak Guilfanov
Puteti verifica daca un sistem este vulnerabil cu WMF Vulnerability Checker:
http://www.hexblog.c...ecker.html#more

O scurta explicatie a modului in care actioneaza patch-ul neoficial:
http://www.grc.com/g...securitynow:423

Steve Gibson, on grc.com, said:

The way the patch works is that IF it sees that a system is at
least Windows 2000 or later, it looks at the function entrypoint
for GDI32's ESCAPE function.  If it finds a sequence of bytes
that it can confidently understand (this is what Ilfak and I
expanded upon just a bit by teaching it about Windows 2000), it
then dynamically patches the front of GDI32's ESCAPE function
with a jump to its own replacement "stub" which simply checks to
see whether the ESCAPE function being called is "SetAbort" (sub
function number 9) and, if so, returns to the original caller.  
For all other functions it emulates the replaced code then
returns to the ESCAPE function processing.

The point of what became an overly long explanation is that the
dynamic patcher will likely be able to run and fix any version
of GDI with recognizable GDI entrypoints.  It knows about two
types right now, and it's moderately unlikely that the code will
be changing a lot among sub-versions.

Metasploit Project mai face public un exploit:

HD Moore citat de SANS Internet Storm Center said:

We released a new version of the metasploit framework module  for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.

-HD

Take care !

Anunturi

Bun venit pe Forumul Softpedia!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Forumul Softpedia foloseste "cookies" pentru a imbunatati experienta utilizatorilor Accept
Pentru detalii si optiuni legate de cookies si datele personale, consultati Politica de utilizare cookies si Politica de confidentialitate