Version 2 of the WMF exploit vs Windows 98 SE



Ok, I wasn’t quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that’s now up to 4 or 5 days or so… Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users. I was mostly curious to see if current exploits could wreck a Windows 98 system. The answer at this point is not that I can see.


It’s possible that with certain software configurations maybe the exploit would have a better chance, but I ran a first round of tests against readily available exploit samples (all seem to be the original exploit). I just now finished trying to use the latest metasploit exploit samples (released the 31st…) Still, no luck at infecting the system. Explorer loads the page asks if it should save or open the file. This was a wmf and tried to open with Kodak Imaging and I then get a message that “the document’s format is invalid or not supported” Nothing further

Another file from the same metasploit session has been scanned by clamav and appears ok in spite of the fact that I know it’s not. (Signatures for this second approach to the exploit are going to be hard to come by given the random nature of the exploit generation.) In other words, I cannot get the exploit to work on a default Windows 98 SE install (within a virtual machine). Neither the first or second variation on the exploit seem to gain any traction on the platform. No payload seems to be run. No DoS, just an error with the file type.

I’m opening this one up to comments in case anyone has found a way that windows 98 is susceptible to what’s going around. (I suspect that different software configurations might be vulnerable? I just tested the base OS with a fairly default install (NO antivirus or firewalling).) As I mentioned before, this doesn’t necessarily mean that Windows 98 is safe. It is reported as having the same vulnerability. The effects of the vulnerability are possibly different, or the exploit can’t be done the same way for Windows 98. Hopefully since the Windows 98 install base is so small it won’t be a tempting enough target that someone finds a way to infect it.

–update 1/2/06–

I just played around again with the exploit using a different payload (upload and execute file) That fails also. I did notice that the metasploit for this has been updated. I think the only change is that it now includes Vista as a target (I don’t recall seeing that before.)

Related Posts

Blog Traffic Exchange Related Posts
  • Network Security guide for the home or small business network - Part 5 - Update your software Okay - so after the last article you've inventoried what software you use on a PC and you know what services (server's) the pc runs that you've told it to. You even know what passes as "normal" startup programs. Now it's time to put that to use. It's time to......
  • More WMF exploit testing on Windows 98 I've spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I've loaded up the image and visited......
  • Windows Vista upgrade clean install workaround You had to know it would be a matter of time. Not long after I wrote about the limitations of Vista's upgrade version I found this. First let me reset. Previous versions of Windows upgrade versions would allow you to do a "clean" install (format the drive) if you had......
Blog Traffic Exchange Related Websites
  • How to Do Home Window Installation Replacing and installing windows can seem like a daunting and expensive task, but it can actually be incredibly simple to do yourself. When you do your own home window installation, you’ll be greatly cutting down on the costs since most of the cost of having windows installed is the labor.......
  • Gators Top Troy with 56 to 6 on Saturday The Florida senior quarterback, our favorite allstar Tim Tebow managed to throw a total of four touchdowns, rushing for another as the No. 1 team Gators chalked their second win for the season, their 12th straight win after claiming 56 to 6 against the Troy Trojans who are currently......
  • Florida Gators vs Florida State Seminoles The Florida Gators ratcheted their ranking up to 12-0 on Saturday by beating Florida State's Seminoles with a decisive 37-10. And quarterback Tim Tebow, a 2007 Heisman Trophy Winner, had another stellar game. It's fitting that the record-setting Gators games should have had senior Tebow with a whopping 5......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

5 Responses to “Version 2 of the WMF exploit vs Windows 98 SE”

  1. The PC Doctor Says:


    Much more on the WMF exploit

    A lot has happened since last night so let me try to bring you up to speed on things.
    First, Ilfak Guilfanov  (the researcher who came up with the unofficial patch) has come out with a WMF vulnerability checker to allow you to test your systems …

  2. The PC Doctor » Blog Archive » WMF exploit - Quick Guide Says:


    [...] Further research seems to show that Windows 98, Windows 98 SE and Windows ME might be harder to infect  than later versions , although they still contain the exploit and may be targeted with greater ferocity soon. [...]

  3. TomW Says:


    Nice article on Win98 testing for wmf exploit! I am also in the process of doing some tests myself as I know and/or have several clients still stuck on Win98 systems.

    You said, “Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users”, just wondered if you had seen this “patch” linked below or might have tested it??

    http://www.nod32.ch/en/download/tools.php

    It says it works with Win98 and other OS’s that are not patched by Microshaft… cause they are not “critical” …. yet

  4. Avery Says:


    Yes, I’ve seen the nod32 patch. I haven’t tested it yet. It appears that Microsoft has backed off on the Windows 98/ME systems being as vulnerable… like you say they’re not “critical” it would be nice if they’d patch the thing pre-emptively though, who knows maybe two months down the road a way might be discovered that it can be more easily exploited in Windows 98. I’ll try the patch and see how it looks. I don’t have an extensive set of things installed in a VM, so testing it that way will be a bit limited.

  5. Avery Says:


    Just did a modest test of it in a VM, and did an updated post (hopefully the last on the whole WMF mess…) the post is at http://www.averyjparker.com/2006/01/06/windows-98-wmf-patch/

Leave a Reply

You must be logged in to post a comment.


Switch to our mobile site