Dec. 29, 2005, 12:59 AM
http://isc.sans.org/diary.php?rss&storyid=975
http://www.dslreports.com/shownews/70787
In Regards to Browsers
If you're running Windows XP or 2003, it doesn't matter what browser you're using, you can still be infected. This is due to a big hole in "shimgvw.dll".
Work Arounds
Official Hotfix
Official hotfix from Microsoft:
http://www.microsoft.com/technet/securit...6-001.mspx
Download the one that corresponds to the version of Windows you are using.
Un-Official Hotfix
Ilfak Guilfanov has released a hotfix to fix this vulnerability!
http://www.hexblog.com/2005/12/wmf_vuln.html
(You can download it from the above URL)
Proxomitron
Proxomitron can act as a very strong workaround for this issue, by killing all WMF-Exploit files, by identifying the exploit code itself.
Delete the old filters if you want to install these newer filters.
It uses a sophisticated matching system created by JJoe. It uses flags. If the standard header is not found, it will not create a flag, and therefore the filter will fail. If they are found, then a flag is set, it won't modify the standard header and the filter will continue with the next match, which matches the exploit code itself. If it matches and it sees it has matched the static header section (by testing the flag), it will then kill the exploit code and the rest of the file, rendering it useless, since the payload section is located after the exploit code (26 [00-FF] 09 00).
Please note that by standard header, I mean the constant sections of the header. In the filter, I skip 10 bytes out of the 18 bytes, since they are dynamic.
The only drawback is that some junk bytes are left behind (the header to the bytes before the exploit code). I couldn't come up with any solution to this, so I have updated the Alert message, saying that the file that is being download has been "nullified", and that it poses no danger.
There are many pros to this method. The lower Bytes Limit makes it much faster and easier on CPU resources. It can potentially match any file size, according to my intense tests (I inserted like 1 MB of useless code between the standard header and the exploit code, and it still matched). I also tested for any possible false positive, like a file with the exploit code before the header section match.
Also, with the header filter, it will truly match ALL files, including GIF files. However, those users who are "freezing" GIF animations, this feature won't work. JJoe had created a filter that changed the content-type of GIF files to JPEG, so it would be matched by the Web Page filter. I've decided to merge the two functions together, filter all files while setting the content type for GIF files as JPEG files in one filter, to ease the installation process.
Web Page Filter:
Header Filter:
Many thanks to JJoe.
Test the filters using harmless WMF-Exploit files here:
http://74.53.146.215/WMF/
Disable shimgvw.dll
The root issue is with the "shimgvw.dll" DLL file.
Disabling it will prevent infection. Please note that disabling it will cause thumbnails of images to not appear.
Disable: Start > Run > regsvr32 /u shimgvw.dll
Enable: Start > Run > regsvr32 shimgvw.dll
http://www.dslreports.com/shownews/70787
Quote:It appears that a new zero-day exploit affecting fully-patched Windows installations is afoot, according to the Sans Internet Storm Center and users in our Security Forum. Merely viewing a malicious WMF image in Internet Explorer will install various and significant nasties to your PC. Additional information is available at the FSecure and Sunbelt Blogs.
In Regards to Browsers
If you're running Windows XP or 2003, it doesn't matter what browser you're using, you can still be infected. This is due to a big hole in "shimgvw.dll".
Work Arounds
Official Hotfix
Official hotfix from Microsoft:
http://www.microsoft.com/technet/securit...6-001.mspx
Download the one that corresponds to the version of Windows you are using.
Un-Official Hotfix
Ilfak Guilfanov has released a hotfix to fix this vulnerability!
Quote:The fix does not remove any functionality from the system, all pictures will continue to be visible.
It should work for Windows XP SP2 and XP 64-bit. Guys running W2K - sorry, I do not have this system anymore, but if you contact me we will try to find a solution.
Technical details: this is a DLL which gets injected to all processes loading user32.dll.
It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.
I can imagine situations when this sequence is useful. My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things.
If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix". I'd like to know what programs are crippled by the fix, please tell me.
I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.
http://www.hexblog.com/2005/12/wmf_vuln.html
(You can download it from the above URL)
Proxomitron
Proxomitron can act as a very strong workaround for this issue, by killing all WMF-Exploit files, by identifying the exploit code itself.
Delete the old filters if you want to install these newer filters.
It uses a sophisticated matching system created by JJoe. It uses flags. If the standard header is not found, it will not create a flag, and therefore the filter will fail. If they are found, then a flag is set, it won't modify the standard header and the filter will continue with the next match, which matches the exploit code itself. If it matches and it sees it has matched the static header section (by testing the flag), it will then kill the exploit code and the rest of the file, rendering it useless, since the payload section is located after the exploit code (26 [00-FF] 09 00).
Please note that by standard header, I mean the constant sections of the header. In the filter, I skip 10 bytes out of the 18 bytes, since they are dynamic.
The only drawback is that some junk bytes are left behind (the header to the bytes before the exploit code). I couldn't come up with any solution to this, so I have updated the Alert message, saying that the file that is being download has been "nullified", and that it poses no danger.
There are many pros to this method. The lower Bytes Limit makes it much faster and easier on CPU resources. It can potentially match any file size, according to my intense tests (I inserted like 1 MB of useless code between the standard header and the exploit code, and it still matched). I also tested for any possible false positive, like a file with the exploit code before the header section match.
Also, with the header filter, it will truly match ALL files, including GIF files. However, those users who are "freezing" GIF animations, this feature won't work. JJoe had created a filter that changed the content-type of GIF files to JPEG, so it would be matched by the Web Page filter. I've decided to merge the two functions together, filter all files while setting the content type for GIF files as JPEG files in one filter, to ease the installation process.
Web Page Filter:
Code:
[Patterns]
Name = "Windows: Nullify Suspected WMF-Exploit Files [Kye-U] {JJoe}"
Active = TRUE
Limit = 18
Match = "[%00-%02][%00][%09][%00][%00][%03]([%00-%FF]+{10})[%00][%00]$SET(SS=1)PrxNeverMatch"
"|[%26][%00-%FF][%09][%00]$TST(SS=1)"
Replace = "\k$ALERT(Suspected WMF-Exploit File Nullified on:\n\n\u\n\nProbable exploit and payload has been removed from the file.\n\nThe file is now harmless.)"Header Filter:
Quote:[HTTP headers]
In = TRUE
Out = FALSE
Key = "Content-Type: !!!Filter All File Types {P} [Kye-U] {JJoe} (In)"
URL = "(^local.ptron/)$FILTER(true)"
Match = "(*|)image/gif(*|)$SET(1=image/jpeg)|\1"
Replace = "\1"
Many thanks to JJoe.
Test the filters using harmless WMF-Exploit files here:
http://74.53.146.215/WMF/
Disable shimgvw.dll
The root issue is with the "shimgvw.dll" DLL file.
Disabling it will prevent infection. Please note that disabling it will cause thumbnails of images to not appear.
Disable: Start > Run > regsvr32 /u shimgvw.dll
Enable: Start > Run > regsvr32 shimgvw.dll
