New exploit released for the WMF vulnerability - YELLOW (NEW)

SANS ^ | 12/31/05 | Tom Liston

[Salo]

* New exploit released for the WMF vulnerability - YELLOW (NEW) Published: 2006-01-01, Last Updated: 2006-01-01 00:06:40 UTC by Tom Liston (Version: 6(click to highlight changes))

New exploit On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.

The exploit generates files:

* with a random size; * no .wmf extension, (.jpg), but could be any other image extension actually; * a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network; * a number of possible calls to run the exploit are listed in the source; * a random trailer

From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files. Infection rate McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number. Yellow Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets. UNofficial patch For those of you wanting to try an unofficial patch with all the risks involved, please see http://www.hexblog.com/2005/12/wmf_vuln.html. Initially it was only for Windows XP SP2. Fellow handler Tom Liston is working with Ilfak Guilfanov to extend it to also cover Windows XP SP1 and Windows 2000. We will host the files once we have it verified.

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind. Please do back out these unofficial patches before applying official patches from Microsoft.

Snort signatures We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point. http://www.bleedingsnort.com/...

Frank also restated some warnings:

There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP). One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor. This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops. So we're between a rock, a solid surface, and a hard place. The exploits are web based, yet the signature will fail with http_inspect enabled. With it disabled, Snort will miss all rules containing uricontent and pcre/U statements. With it enabled, and flow_depth set to 0, Snort will alert on the exploit, but also process all uricontent rules in such a fashion that its CPU utilization is skyrocketing. The only viable solution at this point is to run two instances of Snort. One with your normal set of rules and http_inspect enabled with either the default or "sane" values for flow_depth. The second instance should run with http_inspect disabled or flow_depth set to 0, and process only rules that have to cover a larger than 300 byte area for content matches on ports configured in http_inspect. This two-pronged approach assures that Snorts performance is kept at normal levels, preventing packet loss.

Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.

[Salo]

I, for one, welcome our new exploit-writing overlords.

[Salo]

Pings. This one looks like a gift that is going to keep on giving.

[tet68]

Babblefish?

[Salo]

This is poorly-formated ancient geek for "bend over, MS has done screwed up on security again."

[Clara Lou]

My Winfax is disabled, and I don't miss it, so...big deal.

[upchuck]

This is poorly-formated

Yes it is. To the point of being not understandable.

[Salo]

Hit the link - it has much better formatting.

[tet68]

Beware of geeks bearing glyphs.

[Ernest_at_the_Beach]

There seems to be no end to this Malware.....

[hiredhand]

Here's the one I got through my employer. It's pretty easy to understand.

http://www.us-cert.gov/cas/techalerts/TA05-362A.html

[Baraonda]

placemarker

[hiredhand]

Actually, the SANS bulletin was well written. It's just that most "normal" people won't understand it. CERT usually publishes in a way that's easy for just about anybody to understand. They follow a style that allows the CIO to read the summary, and then buried down in the bottom is all the technical info for the incident response team. :-)

[Ernest_at_the_Beach]

Microsoft Windows is vulnerable to remote code execution via an error in handling files using the Windows Metafile image format. Exploit code has been publicly posted and used to successfully attack fully-patched Windows XP SP2 systems. However, other versions of the the Windows operating system may be at risk as well.

Another MS error

[hiredhand]

Because of my job, I've got a 29 bit block of addresses here on a site that runs out of my home. We've got three 10/100MBPS switched Ethernet LANs, two firewalls, a couple of web servers, an SMTP server, a DNS server, a forum server, and some others I'm probably forgetting to mention. :-). All the servers and firewalls are running OpenBSD (firewalls) or FreeBSD (servers)

BUT....our network...the one that US PEOPLE here at the house use has ZERO Windows computers on it! It's been a Linux only network for going on five years.

We've been sent so many viruses I've lost count...all to no avail of the sender. We block some 100,000 packets per month from people portscanning us, and from infected Windows computer systems. I used to run a reactive IDS on one of the firewalls, but it was more trouble than it was worth, so I shut it down.

Me, the wife and the kids have several e-mail clients to choose from (generally stick to what's available in the latest stable release of KDE though), multimedia players, video streaming clients, web browsers (mostly FireFox), instant messenger clients (AOL/AIM, Yahoo, MSN). We even run a private Jabber server which comes in HANDY. The wife and kids have the office suite which ships with KDE, but prefer OpenOffice...as I do.

I decided that I simply wasn't going to support MS and this sort of disappointment again. We run a large MS Windows client base where I work and the amount of effort required to maintain it in comparison to the Linux servers is amazing.

In fact, we recently swapped out some 300 Windows based point of sale systems with diskless Linux workstations after a particular network aware trojan horse took us down for almost a week. They gave one of the diskless workstations to me to break into, and me and another engineer at work WERE able to break into it, but we had to remove the cover from the machine in order to remove the compact flash card, so we could mount it to crack passwords. Then we discovered that it had no root password! It did have an invalid UNIX password entry for root though! (!!). We thought that was pretty slick. :-) In the end, there was nothing useful on the CF card. The users had to supply authentication credentials, which they were responsible for. But at least they weren't on the CF cards! In the end, we determined that it would be possible for somebody with enough skill and knowlege to replace the binary applications with "hostile" binaries, but the cases are sealed well (case locks), and these units are in reasonably secure areas.

At work, we purchased a product to manage security on the Windows computers across our networks (approx 5000) of them. It's expensive, complicated and NOT something for the "home user". We're thinking very seriously about making our common user platform a Linux workstation now.

Life's just too short to run a bad operating system such as those made by MS Windows.

I'll hand them one thing though, they've got one hell of a marketing department! :-)

[D-fendr]

marking

[Ernest_at_the_Beach]

Heck of a testimony!

[Marine_Uncle]

"Heck of a testimony!"
Many years at Bell Labs and other AT&T entities deeply steeped in UNIX, I have no faith whatsover in MS. And I had over the years dealt with those NT bucket of bolt systems, what a joke. Some seven years back I got involved with various early Linux distributions, Red Hat, Caldera etc.. So what hirehand writes I understand from a hands on experience as hold true. There where many things I could do in a Unix and Linux based systems I simply could never do in NT or any other MS based product. Of course I must admit I do not mind shooting Nazis up in playing Medal of Honor, bombing Bagdad and other cities and airbases in Iraq with F18 OIF, and shooting up a lot of assorted baddies in Soldier of Fortune Double Helix while on my ME system. And of course doing carrier ops from carriers in the Persian guld and other areas of the world in Microsoft Flight Simulator etc.. So MS has provided me with a means of leaving the realities of things... ha ha. May I wish you both a happy new year, a year of good health, spirit, and few problems and the good Lord's blessings for all your loved ones.
George PS. Sure is getting a bit noisy outside, being 10 plus and counting.... Phila. PA.

[hiredhand]

Yep! I hear ya! I spent about 3 years working with AT&T and a lot of that was with "Labs" doing development. I could have NEVER done the things they wanted with MS. Most of it was done with Linux, and some with FreeBSD.

It's a good point you make about games. But it's ironic when those of us who make the "net" work relegate the best that Microsoft has to offer to the sole purpose of supporting our entertainment!

RCTW Enemy Territory runs REALLY well on Linux. I play it once in awhile. :-)

Here's something funny (sort of!)... My wife had ONLY ever used Linux (RedHat). Well...she sort of knew it was Linux. All she saw was KDE and the applications that I installed. That box was like a "refridgerator". It JUST worked! Never crashed...never locked up...never did anything strange or unexpected....certainly never BSODd!

We returned to the U.S. after spending most of the 1980s and 1990s in England (courtesy of the DoD) and she went to work a local hospital (she's an RN/BSN). Of course they had a MS Windows client base (and Novell supporting file sharing/print). She was complaining about the POS workstations because they were always malfunctioning, and the girls around her told her that the hospital computers worked GREAT compared to their home computers! They started telling her about viruses, corrupted registries, BSOD, and the whole trove of MS Windows troubles that you have.

She told them that she had NONE of those problems on her computer at home! In fact, she said, "We get viruses all the time and they never affect us!". She told them she was running something called Linux. A few of them told her that only "hackers" used that and that it was BAD. She told them that they could call it what they wanted, but it worked GREAT and never gave her any of the trouble that they had!

She came home in shock that people would continue to tolerate such a shoddy product.

That was in 1997, and Linux has gotten SOOOOO much nicer since!

I work for a certain branch of a state government, and RedHat Linux ES-4 supports our DNS, SMTP, a good portion of file and print, public access IPSEC VPN, WWW, and a couple of CheckPoint firewalls, and our public FTP server (to name a few). In fact, there's a PILE of Sun E-220 hardware with the Solaris 8 CD-ROMs over at the warehouse waiting for my boss to surplus it. It simply wasn't cost effective to keep it and maintain it. We process an incredible volume of e-mail alone per day. In fact, I JUST checked and from 25 Dec 2005 (at 0407 EST) until right now, we've delivered 327,863 messages across a userbase of approx 5000 people. The nature of what we support dictates that we deploy operating systems which handle high load well on moderately priced hardware, and which are extremely stable! A couple of years ago, an MS sales guy tried to pitch the place on Exchange after they gave him some stats for SMTP and he tried to sell them TWO quad processor boxes with gigs of RAM. Oh of course you have to have two of the beasts for redundancy. The guys who were there told me that he looked like a cornered fox in a henhouse when he badmouthed Linux and quickly discovered that he was surrounded by a bunch of Linux zealots! I wish I had been there! :-)

[Marine_Uncle]

Happy new year. May I ask what AT&T installations you may have worked at.
I was employed at the Allentown PA facilities, where the first production transistors for the Bell system originally came out of. We had a number of cleanroom facilities for both Bi-polar and MOS lines, and of course produced things like the world's first 16K,128K,1MEG rams, as well as many innovative LSI chips featuring some rather interesting design structures. I worked for five years with a design group where we invented a process called "poly cell design", which later on in the commercial world became known as ASIC.
Most of the world do not realize that since AT&T was set up as a controlled monopoly in order to create a nationwide communication network, R&D for our military and many other things, that often things that where invented eventually where shared with the world. We where obligated to make many R&D through production level things available.
At any rate, between working with Murray Hill N.J. sister groups, I got to see many things, some at a pure research level. I miss working for what was once a really great company.
At any rate just curious as to what Lab facilities you may have stepped into.

[George Smiley]

I followed Fred Vorck's instructions for building a W2K installation CD that doesn't have IE, Outlook Express and a host of other holes.

www.vorck.com and click on the Circle with a slash over the blue E icon.