This is getting worse and worser...
patch as been updated in response to 2nd and 3rd generations of this exploit being released... The new update can be found here:
"They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content."
And I am posting the latest diary below since their page uses frames...
Recommended Block List
Published: 2006-01-01,
Last Updated: 2006-01-01 20:42:52 UTC by Johannes Ullrich (Version: 1) I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
- InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
- Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks. They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.
Updated version of Ilfak Guilfanov's patch / ,msi file
Published: 2006-01-01,
Last Updated: 2006-01-02 03:26:26 UTC by Tom Liston (Version: 2) Ilfak Guilfanov has released an updated version of his unofficial patch for the Window's WMF issue. We have reverse engineered, reviewed, and vetted the version here. Note: If you've already successfully installed the patch, this new version adds nothing new. It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed. (
Note: the version information in the installation script indicates that this is version 1.2 - but it really IS version 1.3... the version info in the install script is incorrect...)
MD5: 14d8c937d97572deb9cb07297a87e62a - wmffix_hexblog13.exe
PGP Signature (signed with SANS ISC key) is here:
http://handlers.sans.org/tliston/wmffix_hexblog13.exe.ascWe have also created a .msi file suitable for unattended installation from version 1.3 of the patch. It can be downloaded from a link on this page:
http://handlers.sans.org/tliston/WindowsMetafileFix.htmlMD5: ae6bb95196853843f4aceb7fca5a78ee - WindowsMetafileFix.msi
PGP signature is here:
http://handlers.sans.org/tliston/WindowsMetafileFix.msi.ascTrustworthy Computing
Published: 2006-01-01,
Last Updated: 2006-01-01 17:58:01 UTC by Tom Liston (Version: 1) Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."
I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad. We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable. Acceptable or not, folks, you have to trust someone in this situation. To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust:
This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us. (
Willy's note: I trust these people as they have never lead me down the wrong path...)
Looking back over the past year, the ISC handlers have faced up to any number of challenges: from worms and viruses to DNS poisoning and hurricanes. We've done our best to keep you informed and to tell it like it is. Somehow, it seems fitting that on the last day of 2005 we rang in the New Year in what can only be described as typical ISC style.
On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act.
And so, as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created. Some tested the exploit, some talked to AV vendors, some worked toward finding a means to mitigate the vulnerability, some tested "fix" ideas and the resulting patches.
I was privileged to be a part of that team, and I'm incredibly proud of everyone who participated. As it became obvious that the "fix" that we were working toward was essentially what had already been created by Ilfak Guilfanov, we wrote to him to ask if we could redistribute his patch from the ISC. He was incredibly gracious and courteous in allowing us to do so and we were able to work with him to verify several changes that allowed the patch to work on a wider variety of Windows systems.
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th.
The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
It's time for some real trustworthy computing. All we're asking is if we've proved ourselves to be worthy of your trust.
2nd generation WMF exploit: status of the anti-virus products after one day.
Published: 2006-01-01,
Last Updated: 2006-01-01 17:20:05 UTC by Swa Frantzen (Version: 1) Yesterday in a colaborative effort, we sent a true 0-day sample of the 2nd generation WMF exploit to virustotal. As expected, no detections were made. The payload in that sample was a very basic, commonly known and available payload. So the payload might get detected without the exploit being detected. But even there, we had no such luck then.
We sent in a similar sample today.
The results are not all that good:
- eTrust-Vet 12.4.1.0 01.01.2006 Win32/Worfo
- McAfee 4664 01.01.2006 Exploit-WMF
- Symantec 8.0 01.01.2006 Backdoor.Trojan
- All the others failed to detect the sample.
Do note that the Symantec detect is most likely on the payload. That payload isn't what any of the bad guys playing with this will insert. They will insert far nastier and far less off-the-shelf stuff than what we did. So for now you still have the best chance with following the advice in this diary entry.
2nd generation WMF 0day Exploit Spammed
Published: 2006-01-01,
Last Updated: 2006-01-01 15:40:23 UTC by Tom Liston (Version: 1) According to F-Secure's blog today, the 2nd generation WMF exploit has been spammed and "When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com." Trend Micro is calling it TROJ_NASCENE.H
WMF FAQ
Published: 2006-01-01,
Last Updated: 2006-01-02 10:03:41 UTC by Johannes Ullrich (Version: 2)
- Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.
- Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.
- What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix or BSD is not affected. Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.
- What can I do to protect myself?
Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
You can unregister the related DLL.
Virus checkers provide some protection.
To unregister the DLL:
- Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
- A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch. How does the unofficial patch work?
The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
Will unregistering the DLL (without using the unofficial patch) protect me?
It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll.
Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably replace it. You'll need to turn off Windows File Protection first. Also, once an official patch is available you'll need to replace the DLL. (renaming, rather than deleting is probably better so it will still be handy).
Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.
What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.
How good are Anti Virus products to prevent the exploit?
At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.
How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.
Is it sufficient to tell my users not to visit untrusted web sites?
No. It helps, but its likely not sufficient. We had at least one widely trusted web site (knoppix-std.org) which was compromissed. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. "Tursted" sites have been used like this in the past.
What is the actual problem with WMF images here?
WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code.
Should I use something like "dropmyrights" to lower the impact of an exploit.
By all means yes. Also, do not run as an administrator level users for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'.
Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these images indexed? Do you sometimes use a web browser on the server? In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable.
What can I do at my perimeter / firewall to protect my network?
Not much. A proxy server that strips all images from web sites? Probably wont go over well with your users. At least block .WMF images (see above about extensions...). If your proxy has some kind of virus checker, it may catch it. Same for mail servers. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected.
Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for details. Bleedingsnort.org is providing some continuosly improving signatures for snort users.
If I get hit by the exploit, what can I do?
Not much :-(. It very much depends on the exact exploit you are hit with. Most of them will download additional components. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY).
Does Microsoft have information available?
http://www.microsoft.com/technet/security/...ory/912840.mspx
But there is no patch at the time of this writing.
What does CERT have to say?
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cvename.c...e=CVE-2005-4560
* New exploit released for the WMF vulnerability - YELLOW
Published: 2006-01-01,
Last Updated: 2006-01-02 03:21:11 UTC by Swa Frantzen (Version: 10) New exploitOn New Year's eve the defenders got a 'nice' present from the full disclosure community.
The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.
Note: We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running.
The exploit generates files:
- with a random size;
- no .wmf extension, (.jpg), but could be any other image extension actually;
- a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
- a number of possible calls to run the exploit are listed in the source;
- a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation. Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.
Infection rateMcAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.
