Author Topic: Info on Windows' WMF Vulnerability  (Read 20562 times)

0 Members and 4 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Info on Windows' WMF Vulnerability
« on: January 03, 2006, 10:13:45 pm »
I don't know how much of you know about the WMF vulnerability, but it's a file format vulnerability that allows very easy execution of arbitrary code when Windows renders it.  The vulnerbility was found and exploited over a week ago, and MS refuses to release a patch until their next patch cycle (which is probably today). 

So for over a week, all Windows users who are using the Internet were totally sitting ducks.  Metasploit has put out a module for it, there was at least an MSN worm spreading with it, and it had the potential to be one of the nastiest Email worms ever.  The only defense from Microsoft was by telling people to disable image viewers; the only good solution was a third party patch made by a man named Ilfak Guilfanov. 

In my opinion, this is one of Microsoft's bigger mistakes so far, waiting until the patch cycle to patch a vulnerability that's being actively exploited.  But that's just me :)


Quote
Quite a bit of confusing and a vast amount of information coming from all directions about the WMF 0day. Here are some URL's and generic facts to set us straight.

The "patch" by Ilfak Guilfanov works, but by disabling a DLL in Windows. So far no problems have been observed by anyone using this patch. You should naturally check it out for yourselves but I and many others recommend it until Microsoft bothers to show up with their own patch.

Ilfak is trusted and is in no way a Bad Guy.

You can find more information about it at his blog:
http://www.hexblog.com/2005/12/wmf_vuln.html

If you are still not sure about the patch by Ilfak, check out the discussion of it going on in the funsec list about the patch, with Ilfak participating:
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Occasional information of new WMF problems keep coming in over there.

In this URL you can find the best summary I have seen of the WMF issue:
http://isc.sans.org/diary.php?storyid=994
by the "SANS ISC diary" team.

In this URL you can find the best write-up I have seen on the WMF issue:
http://blogs.securiteam.com/index.php/archives/167
By Matthew Murphy at the "Securiteam Blogs".

Also, it should be noted at this time that since the first public discovery of this "problem", a new one has been coming in - every day. All the ones seen so far are variants of the original and in all ways the SAME problem. So, it would be best to acknowledge them as the same... or we will keep having a NEW 0day which really isn't for about 2 months when all these few dozen variations are exhausted.

A small BUT IMPORTANT correction for future generations:
The 0day was originally found and reported by Hubbard Dan from Websense on a closed vetted security mailing list, and later on at the Websense public page. All those who took credit for it took it wrongly.

Thanks, and a better new year to us all,

    Gadi.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #1 on: January 03, 2006, 10:29:19 pm »
There should be a variant that erases all important system DLLs! :)
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #2 on: January 03, 2006, 10:41:25 pm »
mmm. I've read about and encountered it on Linux serveral times... I pointed, laughed, clicked cancel.
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Info on Windows' WMF Vulnerability
« Reply #3 on: January 03, 2006, 10:50:09 pm »
Wow, that's horrible!  Stupid Microsoft.

mmm. I've read about and encountered it on Linux serveral times... I pointed, laughed, clicked cancel.

Haha.  I'm going to buy a new hard drive to install Slackware on soon.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Info on Windows' WMF Vulnerability
« Reply #4 on: January 03, 2006, 10:55:25 pm »
Ah, update: Microsoft is planning on releasing the patch on January 10.  That's over 2 weeks with a vulnerability that's being actively exploited.. I'm still hoping for an email worm so I can laugh :)

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Info on Windows' WMF Vulnerability
« Reply #5 on: January 03, 2006, 11:03:01 pm »
Ah, update: Microsoft is planning on releasing the patch on January 10.  That's over 2 weeks with a vulnerability that's being actively exploited.. I'm still hoping for an email worm so I can laugh :)

ROFL.  That would be so great.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #6 on: January 03, 2006, 11:18:46 pm »
mmm. I've read about and encountered it on Linux serveral times... I pointed, laughed, clicked cancel.

You suck. I wish I had Linux right now.

* Newby cries.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #7 on: January 03, 2006, 11:35:38 pm »
mmm. I've read about and encountered it on Linux serveral times... I pointed, laughed, clicked cancel.

You suck. I wish I had Linux right now.

* Newby cries.
putty FTW!
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Info on Windows' WMF Vulnerability
« Reply #8 on: January 04, 2006, 12:11:46 am »
If I didn't have putty at school... I don't know what I'd do. :)
And like a fool I believed myself, and thought I was somebody else...

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Info on Windows' WMF Vulnerability
« Reply #9 on: January 04, 2006, 09:38:39 am »
Meh, it isn't a problem for firefox users......

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Info on Windows' WMF Vulnerability
« Reply #10 on: January 04, 2006, 06:17:26 pm »
Meh, it isn't a problem for firefox users......

It is if you don't know what you're doing and click "yes" to the prompt.  This isn't exactly the sort of issue computer-illiterate (those who are conciously aware of the existance of these sorts of exploits) people are going to address as a potential problem.

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #11 on: January 04, 2006, 06:38:05 pm »
Even a computer-literate will sometimes wmf for wma/wmv when it's very late at night. Or might just guess it's a new file format ;P
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Info on Windows' WMF Vulnerability
« Reply #12 on: January 04, 2006, 06:39:05 pm »
Even a computer-literate will sometimes wmf for wma/wmv when it's very late at night. Or might just guess it's a new file format ;P

Haha, yeah.  I really wouldn't think too much of it if I hadn't read this article (at least until my computer started dying).

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Info on Windows' WMF Vulnerability
« Reply #13 on: January 04, 2006, 08:40:28 pm »
An article called "0-day Holiday" was posted:

http://www.securityfocus.com/columnists/377

Quote
“ Hundreds of millions computers are vulnerable to the whims of just about any website owner, virus writer, or hacker with malicious intent. I can think of a thousand different ways to lure someone into full system compromise using this zero-day vulnerability - and I don’t think this is the vision Gates had ever dreamed of. ”

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Info on Windows' WMF Vulnerability
« Reply #14 on: January 05, 2006, 05:57:33 pm »
http://it.slashdot.org/it/06/01/05/2027259.shtml?tid=172&tid=128&tid=201&tid=218

Awesome. Ahead of schedule. It only ~100 or so variants of this vulnerability for them to go "oh, shit, maybe we are fuckbags."
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.