I’ve spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I’ve loaded up the image and visited kyeu dot info/WMF/ and tried each of the files there. I don’t have a zip handler in my Windows 98 SE image so that didn’t get tested, but I’m getting nowhere here. Gif opens with Explorer and gives a red x to indicate a broken image, the text file opens as a binary file viewed in a text editor, the htm file does the same only in explorer (I see what I’d usually see if I tried to open a binary file in a web browser…) The avi opens with Media Player and complains about it being an incompatible format.
Tag: WMF
-
WMF exploit and Windows 98
Most of the talk on the WMF zero-day has centered on Windows XP, 2000 and 2003. The unofficial patch is available for those three platforms. Microsoft’s (eventual) patch will likely be for those as well. Incidents.org had a comment in one of their posts that this would be a “watershed moment” for Windows 98/ME and that those users should upgrade immediately as there is little/no hope for a patch.
-
WMF vulnerability checker
The same person that has given the New Year’s gift of an unofficial patch for the WMF exploit circulating has also provided a WMF vulnerability checker, download and install, it will tell if you’re vulnerable. Post is available here. According to the first comment it seems as though the vulnerability checker is triggering Norton’s auto-protect. (Norton detects it as “Bloodhound.Exploit.56”). (Which is a good sign…)
-
WMF exploit situation summary…
Since there’s been quite a bit of flux the last couple of days I thought I’d try to “reset” the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit.
1st there is a vulnerability in the way Windows renders WMF (Windows MetaFile) image files that makes possible an exploitable buffer overflow allowing remote execution. There are at least two exploits for this vulnerability and it is not necessary for the wmf to have a name ending in .wmf (it could masquerade as jpg for instance.) The specially crafted WMF could be in a web page, email (html email), or other document. There are many possible vectors of entry for this.
-
WMF Exploit — it’s worse…
This is going to be a rough start to the new year for IT staff and computer users….
There’s coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG mess to clean up. It looks like there’s a someone spamming emails to tons of addresses with a specially crafted image (uses the WMF exploit.) It’s also a slightly different variant of the exploit.
-
WMF exploit unofficial patch
Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They’ve also looked at the patch thoroughly and it sounds as though it’s very well done.
-
NEW exploit for the WMF vulnerability
Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it’s worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was “made by the folks at metasploit and xfocus, together with a anonymous source.”
-
WMF exploit through indexing software
One of the vectors that has been mentioned early on is the infection of a system through the WMF exploit even when the exploited file was downloaded through a dos command shell. At first this seemed absurd, but it appeared that Google Desktop search was indexing files dynamically and once the file was downloaded it indexed the file and triggered the vulnerability. There is word that Microsoft’s indexing service does likewise – although Microsoft has only said that they’re “looking into reports”. Incidents.org is saying that they think this may be the giant white elephant no one is talking about. I certainly would shudder to think if machines on a network are indexing a network share and manage to subvert every machine running an indexing share….
-
New IM worm using WMF vulnerability
There is news this morning of a new twist in the WMF vulnerability (it was only a matter of time.) There are reports of an instant messenger worm using the vulnerability to spread. Currently incidents.org is reporting that the worm is spreading through the MSN messenger IM network and contains a malformed WMF file called “xmas-2006 FUNNY.jpg” The original source of the warning is Kaspersky Labs viruslist.com
-
Third Party WMF patch
The F-secure blog is reporting on a third party patch for the WMF exploit. I have not tested it, it seems to come from a knowledgable source though. As I’m writing this though, the thought strikes me that a really nasty trick would be a claimed fix that actually exploited the vulnerability. It pays to check up on the source of ANY third-party fix for Windows (or any other operating system or software suite…) Anyway, this seems to be a good source though. He’s the primary author of IDA Pro (Interactive Disassembler Pro).