S
shplink
Both good points. I am not ashamed to admit I get a little misty when ISean said:
think back to my 3 months of unemployment, playing "Age Of Mythology"
until 5AM and going to sleep with the game's music echoing in my brain.
think back to my 3 months of unemployment, playing "Age Of Mythology"
until 5AM and going to sleep with the game's music echoing in my brain.
T
Todd H.
Virus Guy said:
It's not that simple.
Except it's not that simple. The handler is not triggered by file
extension, file headers are analyzed.
Yes. Now yer getting it.
And those malformed wmf files are being dropped all over the internet
and being foisted upon people via IM worms and spam.
If you think yer not vulnerable and you haven't done anything specific
to protect yourself, you're kidding yourself.
T
Tim Smith
It's worse than that...just viewing one of the bad images on a web site is
sufficient. And that bad image could be on the site indirectly, via an
advertising network, so you can't assume that sites you know are safe, if
they carry outside advertising.
H
Hoosier Daddy
Todd H. said:
That is not how I understand the situation. The problem is the extension
of the filetype to include the 'feature' which allows it to contain executable
code. As long as the OS supports this feature, it is vulnerable to future
exploit.
R
Ron Lopshire
David said:
You can always tell who issues these press releases/alerts. Lawyers,
bean counters and marketing bozos use words like "mitigate". What the
public wants, and needs, to hear about this exploit are words, from
the engineers, like "eliminate" and "rectify".
Ron
T
Todd H.
Hoosier Daddy said:
I'm not sure you and I disagree. I don't disagree with your
description of how the wmf vulnerability is triggered by the reading
of a maliciously created WMF file (be it named a .jpg, or .gif or a
..wmf file).
What I'm saying is that the possible ways you could have such a
malicious wmf file end up on your system are extremely varied. A MSN
messenger worm is spreading one via IM -- imagine being logged on,
and some random user (orsomeone you know) IM's you with a graphic in
it, and wham...you're owned.
Or you receive an email with a graphic in it that your mail reader
renders without asking you any questions....
Or you stumble onto a myspace site of a friend's band and some yahoo
includes a comment on the page that includes a link to a maliciously
crafted image....
This is why this is getting so much attention, cus it's so damned easy
to get.
K
kurt wismer
Virus Guy wrote:
[snip]
gdi... the dll everyone has been told to unregister is just the vector
which the current crop of exploits utilize to access the gdi design flaw...
http://www.f-secure.com/weblog/archives/archive-012006.html#00000761
http://www.fileformat.info/format/wmf/egff.htm
[snip]
nothing except allow you to apply the principle of least privileges...
on 9x everyone's an admin all the time...
[snip]
gdi... the dll everyone has been told to unregister is just the vector
which the current crop of exploits utilize to access the gdi design flaw...
http://www.f-secure.com/weblog/archives/archive-012006.html#00000761
http://www.fileformat.info/format/wmf/egff.htm
[snip]
nothing except allow you to apply the principle of least privileges...
on 9x everyone's an admin all the time...
K
kurt wismer
Virus said:
i suggested to you that you should go read more about the problem
instead of glossing over it because of your assumption that your OS
isn't vulnerable simply because it doesn't have the dll used by current
exploits...
but since you'd rather be hand fed the information, the component in
question is the graphical device interface (gdi - probably, but not
necessarily gdi32.dll)...
a wmf file is essentially a collection of gdi calls
(http://www.fileformat.info/format/wmf/egff.htm)... microsoft shipped
the gdi...
a native handler would be rather pointless when the dll is shipped with
the OS...
essentially, yes...
K
kurt wismer
Ron Lopshire wrote:
[snip]
not gonna happen... the problem is that microsoft thinks it's a good
idea to mix code with their data... they think it adds *value*...
[snip]
not gonna happen... the problem is that microsoft thinks it's a good
idea to mix code with their data... they think it adds *value*...
O
Offbreed
Virus said:
Oh, it's fine.
So long as you stay off the net.
(I use several hard drives, in rotation, and check them against each
other. Sooner or later, out of luck.)
V
Virus Guy
kurt said:
You mean shimgvw.dll. I don't think you can un-register GDI32 and
still have a functional computer.
We already know that Win-9x doesn't have shimgvw.dll (so it's not
clear to me what 9X has that would be making the Escape() and
SetAbortProc calls to GDI32 in the context of handling a wmf file).
You know, I'll agree that Win-98 probably has the same flaw in it's
GDI library that XP has. What's not clear is that it fails in the
same way, leading to a heap or stack overflow, page fault, etc, and
thereby allowing rogue code to be executed in any coherent or planned
manner.
The difference between 98 and XP is that on a 98 system it will almost
always not know what to do with a wmf file, while practically any app
on XP will feed rogue WMF code to shimgvw.dll which in turn will trip
the flaw in GDI32.
Is there anything in PDF, PowerPoint, or PostScript that comes close
to forcing the OS to execute code-based function calls to GDI32?
Or are WMF files the most dangerous type of file (from an imbedded
code-vulnerability point of view?)
I thought XP and 98 were light-years apart in their code base. If the
API library is that similar between them that this exploit behaves the
same, then that's a real wake-up call that XP isin't as "modern" or
"new and improved" as MS purports it to be.
And what's wrong with that for your typical home computer?
K
kurt wismer
Virus said:
probably not...
i'm reasonably certain those calls are encoded in the wmf file itself...
wmf files are essentially collections of gdi api calls... i'm not sure
why anything would need to call additional gdi methods when parsing a
wmf file...
it's a given that an overflow/fault/etc that does X on an nt based OS
will not do X on a 9x based OS...
but then, most people are *not* claiming that the current exploits work
on 98... entirely different exploits would likely need to be devised for
9x... it's still the same underlying vulnerability, however...
presumably you use the most up to date version of IE on 98... try
renaming a wmf file to bmp and loading it in your browser... i have no
idea what would happen, but i suspect that IE will determine the right
thing to do based on the header...
easy to find out... load up a document and find out if gdi32 is loaded
by the viewer...
it's a supposed image format whose data is actually binary encoded gdi
function calls - most dangerous? you be the judge...
[snip]
well, if your typical home computer user never makes mistakes, never
connects to the net, and never gives anyone else access to his/her
computer, then i guess nothing is wrong...
somehow that doesn't sound very typical, though...
the principle of least privileges helps to protect users not just from
crackers but also from themselves...
B
Bronx
The difference between 98 and XP is that on a 98 system it will almost
IE had no idea what to do with it.
It kicked it to the default image viewer for BMPs,
which wouldn't open it: "Unknown File Format".
Firefox just generates an error message.
I'm running:
Windows98SE 4.10.2222A
Internet Explorer 6.0.2600.0000IS
Firefox 1.0.7
Image Eye 7.1 (default image viewer)
IE had no idea what to do with it.
It kicked it to the default image viewer for BMPs,
which wouldn't open it: "Unknown File Format".
Firefox just generates an error message.
I'm running:
Windows98SE 4.10.2222A
Internet Explorer 6.0.2600.0000IS
Firefox 1.0.7
Image Eye 7.1 (default image viewer)
V
Virus Guy
kurt said:
Files don't parse or render themselves - especially data files.
Something must read the header, parse the records, and then perform
the GDI calls.
Version 6.0.2800.1106
Using IE:
File -> Open -> Browse -> some_file.wmf
Dial box opens: Title bar = File Download
- Some files can harm your computer ...
- file name: some_file.wmf
- file type: Coreldraw 9.0 Graphic
- from: c:\what-ever
- would you like to open the file or save it?
- Open Save Cancel
Select Open
- flurry of disk activity for about 10 seconds
- IE window seems frozen (unresponsive)
- window declared dead
- close window
My_Computer -> C:\what-ever -> double-click some_file.wmf
- ACDSee V3.1b opens and renders the wmf image.
- Repeat above (My_computer -> C:\what-ever), except double-click
on browsercheck.wmf as the target
- ACDSee opens browsercheck.wmf without any fuss
- displays what looks like a blank page.
- Open browsercheck.wmf with CorelDraw 9.0
- Corel renders a screen full of boxes of various sizes
- looks like modern art
- 162 boxes to be precise
Rename some_file.wmf -> some_file.bmp
- double-click on some_file.bmp
- Paint dialog box opens
- c:\some_file.bmp
- Paint cannot read this file
- This is not a valid bitmap file, or it's format is
not currently supported
Use IE to open some_file.bmp
- Paint dialog box opens with same message as above
Rename some_file.bmp -> some_file.gif
- file now has Corel PhotoPaint Icon
- double-click some_file.gif
- Corel Photopaint starts, opens the file - and renders it
properly (!)
- Use IE to open some_file.gif
- Corel Photo-paint starts and renders the file
Rename some_file.gif -> some_file.htm
- double-click some_file.htm
- IE starts, displays pages of random text
Funny think is that directory listings of wmf files show up with
CorelDraw icons in the Name column but have "ACDSee WMF Image" in the
Type column.
This test will have to be performed on a Win98 system where no other
image-processing software has been installed in order to see how IE
handles WMF files (if it handles them at all).
Well, I can see no evidence that IE can (all by itself) open a WMF
file on a Win-98 system no matter how you try to trick it.
Um, you're saying that Win-XP is more able to protect itself from the
big-bad internet than Win-98 is?
XP was designed for corporate desktops where sys-admins could control
what end-users could and couldn't do with their machine. XP was also
designed for remote admin, easy deployment, remote config, etc. None
of that stuff makes it inherently "better" for home users, and
arguable all of that stuff makes it more vulnerable when connected to
the internet via your typical home cable or DSL modem.
Funny how XP needs third party protection like AdAware, Spybot, etc,
even though it's got all that nifty privledge-based user accounts.
H
Hoosier Daddy
Virus Guy said:
My Win98 registry shows an entry for .wmf files associated with a classid
and the classid shows data of "TridentImageExtractor". This may be the
"image preview" feature of the "View as Web page" feature of "Explorer"
as other picture formats have also the same association.
I didn't find any other .wmf associations in my registry. This installation
came with "Kodak Imager" so I can't say if it is a virgin Win98 setup.
A
Ant
kurt wismer said:
Anyone who writes code to draw WMFs would only have to call the
built-in "playmetafile", or whatever the API routine is called, in
order to display it for the required device context (which may be a
printer).
What I don't understand about this is how the exploit code is run,
because there's no talk of buffer overflows with this exploit. The
problematic routine is the escape("setabortproc") function, which
tells the GDI what user-supplied function to call in the event of a
print cancellation. In other words, the address of the "abortproc"
code in the WMF is passed to the GDI, but why is it being run? In
the exploit code I've seen, there's no subsequent call to trigger it.
J
Jim
It has been known for a long time that people put malware in images. ThisWilbur Post said:
is especially true for compressed formats like jpg or gif.
I suppose that it would be possible to imbed malware in almost any type of
image if a person were determined enough.
It has also been known that one should never open an image from anybody
unless some friend tells you that the image is coming.
There is nothing new about the potential for getting infected via image
files.
Jim
V
Virus Guy
Here's something I came across in my registry:
HKEY_Classes_root\quickview\.WMF
In that key is a sub-key (CSLID?) with a data
value of "SCC Quick Viewer"
A search for SCC Quick Viewer gives this:
http://www.windowsitlibrary.com/Content/368/07/2.html (see below).
Also, I see that WMF files are also associated with wmfimp32.flt:
"The Windows Metafile graphics filter (Wmfimp32.flt) supports the
Windows Metafile format. You must have the Windows Metafile filter
installed to insert a Windows Metafile into a Microsoft Excel workbook
as a Microsoft Clip Gallery object. However, to insert a Windows
Metafile directly into a Microsoft Excel workbook, you don't need the
Windows Metafile filter."
-------
VIEWING FILES WITH QUICK VIEW
Quick View is a utility that provides a way to look at a file without
opening the software that created that file. In fact, you don’t even
have to have the software associated with the file on your computer.
It’s a complicated feature and is dependent upon the registry in order
to work. When you right-click a document file in Explorer or My
Computer, the shortcut menu offers the Quick View command if the file
type is supported by Quick View.
How Quick View Works
Quick View works by launching QUIKVIEW.EXE, which is not the viewer
but a software application that locates and launches an appropriate
viewer. In Windows NT QUIKVIEW.EXE is usually found in
\%SystemRoot%\System32\Viewers. In Windows 95 and 98, it is usually
located in \%SystemRoot%\System\Viewers.
A separate instance of a viewer is opened for each file selected by
the user. If you select multiple files and choose Quick View, the
shell starts QUIKVIEW.EXE for each selected file (using the Win32
CreateProcess or WinExec function) and a viewer will open for each
file type that is supported.
QUIKVIEW.EXE checks the registry to locate the viewer that should be
used with a particular file type. It starts the search at
HKEY_CLASSES_ROOT\QuickView\* to locate all registered viewers (see
Figure 7-8). You’ll usually find that the viewer is SCC Quick Viewer.
QUIKVIEW.EXE checks the file extension for the selected file and finds
the viewer for that file type.
If there is only one registered viewer, all the file extension subkeys
will display the default viewer (see Figure 7-9).
If the file type has no viewer installed, Quick View displays a
message saying that there is no viewer attached to this file type and
asking if you want to try the default viewers. If you say No, all
processing stops. If you respond affirmatively, the filename is passed
to the default viewers, one at a time. (If a file viewer is able to
handle the file, it may be a hex dump of the data). If none of the
default viewers displays the file, Quick View displays an error
message indicating there was an error opening or reading the file.
-------
HKEY_Classes_root\quickview\.WMF
In that key is a sub-key (CSLID?) with a data
value of "SCC Quick Viewer"
A search for SCC Quick Viewer gives this:
http://www.windowsitlibrary.com/Content/368/07/2.html (see below).
Also, I see that WMF files are also associated with wmfimp32.flt:
"The Windows Metafile graphics filter (Wmfimp32.flt) supports the
Windows Metafile format. You must have the Windows Metafile filter
installed to insert a Windows Metafile into a Microsoft Excel workbook
as a Microsoft Clip Gallery object. However, to insert a Windows
Metafile directly into a Microsoft Excel workbook, you don't need the
Windows Metafile filter."
-------
VIEWING FILES WITH QUICK VIEW
Quick View is a utility that provides a way to look at a file without
opening the software that created that file. In fact, you don’t even
have to have the software associated with the file on your computer.
It’s a complicated feature and is dependent upon the registry in order
to work. When you right-click a document file in Explorer or My
Computer, the shortcut menu offers the Quick View command if the file
type is supported by Quick View.
How Quick View Works
Quick View works by launching QUIKVIEW.EXE, which is not the viewer
but a software application that locates and launches an appropriate
viewer. In Windows NT QUIKVIEW.EXE is usually found in
\%SystemRoot%\System32\Viewers. In Windows 95 and 98, it is usually
located in \%SystemRoot%\System\Viewers.
A separate instance of a viewer is opened for each file selected by
the user. If you select multiple files and choose Quick View, the
shell starts QUIKVIEW.EXE for each selected file (using the Win32
CreateProcess or WinExec function) and a viewer will open for each
file type that is supported.
QUIKVIEW.EXE checks the registry to locate the viewer that should be
used with a particular file type. It starts the search at
HKEY_CLASSES_ROOT\QuickView\* to locate all registered viewers (see
Figure 7-8). You’ll usually find that the viewer is SCC Quick Viewer.
QUIKVIEW.EXE checks the file extension for the selected file and finds
the viewer for that file type.
If there is only one registered viewer, all the file extension subkeys
will display the default viewer (see Figure 7-9).
If the file type has no viewer installed, Quick View displays a
message saying that there is no viewer attached to this file type and
asking if you want to try the default viewers. If you say No, all
processing stops. If you respond affirmatively, the filename is passed
to the default viewers, one at a time. (If a file viewer is able to
handle the file, it may be a hex dump of the data). If none of the
default viewers displays the file, Quick View displays an error
message indicating there was an error opening or reading the file.
-------
T
Tim Smith
"Ant" <[email protected]> said:
It's called on errors, not just print cancels. If you examine the calls
in the file, you should find something wrong that would cause an error,
and hence execute the abort proc.
K
kurt wismer
Virus said:
lets restore context, shall we?
win9x doesn't need to have anything that would be making escape() and
setabortproc() calls to the gdi, those calls are part of the wmf file
itself - win9x simply has to parse the wmf file in the proper way (which
involves passing the gdi calls encoded in the wmf file to the gdi api)...
*anything* that displays wmf files should be doing this unless it has
it's own gdi implementation...
[snip]
apparently not...
you're now showing a rather troubling ignorance of the principle of
least privileges... it's not winxp that is more able to protect itself,
it's running as a limited user that limits the damage things on the
big-bad internet can cause...
it needs those things in part because people don't use less privileged
accounts... they've still got their heads stuck in the win9x days...