Antisource.com  /  Security Forums  /  About  /  FAQs  /  Links  /  Polls  /  Advanced Search     
Register!   Login  
The All Inclusive Security Resource
Defending users and administrators against the
threat of viruses, trojans, spam, spyware, and hackers
Topics
General News
Antivirus Reviews
Network Defense
Spyware
Anti-Spam
Phishing Scams
Virus Alerts
Featured Product

Antivirus for your email server! Virus & content check mail with 5 virus scanning engines. Free 30 day trial available!


Download Free Trial
Security Forums
Desktop Security
Malware Removal Help
Spam Blocking
Patches and Hotfixes

Network Security
Firewalls and Routers
Intrusion Detection
Web Proxies

Antivirus Support
Symantec
McAfee
Trend Micro
Other Antivirus
Quick Resources
About Antisource
Malware Threats Triangle
Free Virus Scan
Virus Map
 

WMF Zero-day Exploit

Sunday, January 01, 2006
Author: Richard S. Westmoreland
Permalink: wmf-zero-day-exploit 		General News
Email Article to a Colleague Printer-Friendly Version Author's Profile


An attacker can gain user level control if you open an image in IE or windows explorer. The exploit was revealed before a patch was available to fix it:

http://www.securityfocus.com/brief/89

Since the first notice of this vulnerability in WMF (Windows MetaFile), several other modified exploits have been released. Vendors and administrators are struggling to find ways to protect machines before a virus outbreak takes advantage of it, as a spammer alrady has:

http://www.f-secure.com/weblog/archives/archive-012006.html

An email is being sent around attached with "HappyNewYear.jpg". When it is viewed, a Bifrose backdoor is downloaded. There is a workaround that involves unregistering a DLL:

http://www.eweek.com/article2/0,1895,1906211,00.asp

Using the simple command:

regsvr32 /u shimgvw.dll

However some readers have noted that this also disables the Thumbnail viewer.

Here is a more detailed explanation of how this exploit works:

http://www.kb.cert.org/vuls/id/181038

There is an unofficial hotfix available written by Ilfak Guilfanov, located at http://www.hexblog.com. I have mirrored the hotfix at http://www.antisource.com/download/wmf_checker_hexblog.exe
  

Comment about WMF Zero-day Exploit | 4 comments |

The following comments are owned by whomever posted them. This site is not responsible for what they say.

WMF Zero-day Exploit
Authored by: mechBgon on Monday, January 02, 2006

-

Admins with VirusScan Enterprise 8.0i may wish to try setting up some Access Protection Policies, one rule for each of the likely filetypes (.exe, .com, .bat, .pif, .scr, .vb*, .chm and so forth), forbidding creation or execution of new files of those types in, for example,

C:Documents and Settings***.exe

This could bring an exploit down if it's relying on the ability to execute stuff from the user's profile directory. In my very brief tests, it didn't hamper regular operation of a straight Windows/Office/VirusScan system.

The measure listed above seems like it would be most effective if paired with Restricted-User accounts plus a Disallowed-by-default Software Restriction Policy. In that scenario, if an exploit did grab the user's rights, it couldn't execute from anywhere that it could write .exe's to, and it couldn't write .exe's to anywhere it could execute from.

If the exploit does gain SYSTEM-level privilege, as some reports claim, then the Software Restriction Policy might fail but McAfee should still arbitrarily stop it from executing stuff off the hard drive, at least in whatever directories you've created rules to protect.

If the users are Power User or Admin class, then the exploit would have software-installation privileges and then I guess you'd have to get creative-er.

This certainly seems like a tricky thing to defend against. Almost every possible layer of defense is known to have holes in it. The only single defense that looks like it might work all the time is the unofficial patch, but who knows what happens if your systems update while it's installed?

*sigh*

-
Reply to This

WMF Zero-day Exploit
Authored by: mechBgon on Monday, January 02, 2006

-

I just noticed that the directory path above has gotten its slash marks eaten :P That should be

C: [slash] Documents and Settings [slash] ** [slash] *.exe

This is McAfee-style wildcarding for "any .exe within any subdirectory of C: [slash] Documents and Settings."

-
Reply to This

WMF Exploit Testing + Video
Authored by: Webmaster on Tuesday, January 03, 2006

MechBgon has generously provided a video of an experiment he did attempting to infect a machine to analysis its payload:

Live testing of countermeasures against WMF Exploit, w/video
Reply to This

WMF Exploit Testing Video
Authored by: mechBgon on Thursday, January 05, 2006

+ Thanks, and by the way I've added two more threads featuring video clips in that section of the Forums. One shows the exploit being slapped around by an Athlon64's hardware-enforced Data Execution Prevention, and the other was supposed to test VirusScan Enterprise's generic Buffer-Overflow Protection, but ended up just showing that Win2000/Office2000 systems are not inherently vulnerable. I did some other tests tonight to see how McAfee's Buffer-Overflow Protection does against the exploit on a WinXP Pro SP2 system with Data Execution Prevention deliberately turned off. The test ended up shedding light on both McAfee's buffer-overflow feature, and also on the suggestions in my first post above regarding the use of arbitrary behavior-blocking rules in VirusScan Enterprise. I'll post another thread with my observations on that. +
Reply to This


 
 Copyright © 2009 Antisource
 All trademarks and copyrights on this page are owned by their respective owners.
Running GeekLog | Privacy Policy | Created this page in 0.18 seconds | Site Stats | RSS Feed xml