Version 2 of the WMF exploit vs Windows 98 SE
Ok, I wasn’t quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that’s now up to 4 or 5 days or so… Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users. I was mostly curious to see if current exploits could wreck a Windows 98 system. The answer at this point is not that I can see.
It’s possible that with certain software configurations maybe the exploit would have a better chance, but I ran a first round of tests against readily available exploit samples (all seem to be the original exploit). I just now finished trying to use the latest metasploit exploit samples (released the 31st…) Still, no luck at infecting the system. Explorer loads the page asks if it should save or open the file. This was a wmf and tried to open with Kodak Imaging and I then get a message that “the document’s format is invalid or not supported” Nothing further
Another file from the same metasploit session has been scanned by clamav and appears ok in spite of the fact that I know it’s not. (Signatures for this second approach to the exploit are going to be hard to come by given the random nature of the exploit generation.) In other words, I cannot get the exploit to work on a default Windows 98 SE install (within a virtual machine). Neither the first or second variation on the exploit seem to gain any traction on the platform. No payload seems to be run. No DoS, just an error with the file type.
I’m opening this one up to comments in case anyone has found a way that windows 98 is susceptible to what’s going around. (I suspect that different software configurations might be vulnerable? I just tested the base OS with a fairly default install (NO antivirus or firewalling).) As I mentioned before, this doesn’t necessarily mean that Windows 98 is safe. It is reported as having the same vulnerability. The effects of the vulnerability are possibly different, or the exploit can’t be done the same way for Windows 98. Hopefully since the Windows 98 install base is so small it won’t be a tempting enough target that someone finds a way to infect it.
–update 1/2/06–
I just played around again with the exploit using a different payload (upload and execute file) That fails also. I did notice that the metasploit for this has been updated. I think the only change is that it now includes Vista as a target (I don’t recall seeing that before.)