Saturday, December 31, 2005

An Alternative Method of Fixing the WMF Vulnerability - UPDATED

I can't say it any better than the F-Secure blog said it. So here it is..
Here's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com.
Most people in the patch management world would never recommend a patch NOT from the original vendor, but Ilfak isn't just some kid. This is real...

If you test it, let me know how it works.

UPDATE - I have installed this on my personal laptop and seems to do exactly what it was meant to do. People that are serious about blocking this very danger attack should seriously look at this patch. Even the ISC has given it the go ahead.

They have earned my trust, that is for sure.

WMF Story - Day 4

1) Microsoft has updated their security advisory about the WMF. It now confirms that software-based DEP does NOT protect you from the WMF Exploit.

2) Also on FD, HD Moore has released an updated Metasploit 2.5 MWF Attack Module. This new version uses the "Escape/SetAbortFun code execution flaw" and pads the Escape() call with random WMF records.

3) Viruslist.com is reporting the first IM-Worm to exploit the WMF vulnerability. Appears to be spreading via MSN at this point, but i wouldn't be suprised to see copies on ICQ, AIM and Yahoo soon.

As far as I can tell, one of the biggest attack vectors is the IFRAME tag in a hacked/bad website.
As the number of attacks grow and become more and more nasty...we all wait for a patch. Do you think Microsoft will release it out of cycle? Who knows...

Friday, December 30, 2005

WMF Exploit Story - Day 3

Information is building and views are changing all the time. But everyone agrees that this WMF Zero-Day is nasty. Here is what we know on "WMF Day 3"


DEP Method

Sunbelt is reporting on their blog that the software-based DEP Windows XP SP2 method once suggested by Microsoft is not very effective. They found that hardware-based DEP is effective, but requires a CPU that supports it.

REGSRV32 Method

Bill Hayes pointed me to the latest F-Secure blog entry this morning. F-Secure found that the REGSRV32 workaround doesn't protect you from the WMF when using MSPaint. Great! lol

They suggest not using MSPaint at all for a while, which doesn't seem too difficult at this point.


It should also be stated that using Firefox does NOT protect you totally. Firefox is still open the WMF but it does require a bit more user interaction than IE – which requires zero. ;)

So the war isn’t over. But here are several suggestions that can only help the cause.

1) Always test any workaround before applying it to your network. This really applies to many things and it good all around advice.

2) Don’t trust one workaround to protection you totally. Apply the “Defense in Depth” idea to any threat. In the WMF case, this would include up-to-date antivirus on the clients and on the proxy edge. Use dynamic blocking of known sites with bad WMF using advanced (yet costly) proxy filtering software. Static block known sites if needed.

Here is an incomplete list

m.cpa4[dot]org
008k[dot]com
mscracks[dot]com
keygen[dot]us
dailyfreepics[dot]us
pornsites-reviews[dot]com
mmxo.megaman-network[dot]com
600pics[dot]com
Crackz[dot]ws
unionseek[dot]com
tfcco[dot]com
Iframeurl[dot]biz
beehappyy[dot]biz
Buytoolbar[dot]biz
teens7[dot]com
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

Thursday, December 29, 2005

WMF Exploit hits Third-Party Ad Network

http://sunbeltblog.blogspot.com/2005/12/exfol-using-wmf-exploit-on-rotational.html

Man, this is just getting nasty...use Firefox.

CounterMeasures for the WMF 0-Day Exploit

1) Bleeding-Edge Snort has WMF exploit detection sigs for the open-source IDS known as Snort.

2) Combined those sigs with SunBelt's Free (or Full) Kerio Firewall, to help block and detect the WMF exploit. Get the how-to on the SunBeltBlog.

3) Disabling the library that contains the vulnerability will also work. From the ISC/SAN website. FYI - Infocon = Green
The vulnerability seems to be within SHIMGVW.DLL. Unregistering this DLL (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.

"There is no Spoon" - Vanishing Teaspoons

Noticed this funny article on Scotsman.com and wanted to share it. We need some humor with all the bad Windows WMF stuff running around.

Viewing the article will require you to register your soul away, or you could just use Bugmenot.com - which is what I did.

Scientist cause a stir over vanishing teaspoons.

SCIENTISTS have proved what is common knowledge to most people - that teaspoons appear to have minds of their own. A study monitored the movements of 70 secretly numbered teaspoons over five months. Supporting expectations, 80 per cent of the spoons vanished during the period - although those in private areas lasted nearly twice as long as those in communal sections. "At this rate, an estimated 250 teaspoons would need to be purchased annually to maintain a workable population of 70 teaspoons," said researchers from the Macfarlane Burnet Institute for Medical Research and Public Health in Melbourne. Writing in the British Medical Journal, they said their research proved that teaspoons were an essential part of office life and the rapid rate of disappearance proved that this was under relentless assault. Regretting that scientific literature was "strangely bereft" of teaspoon-related research, the scientists offered a few theories to explain the phenomenon. Taking a tip from Douglas Adams's Hitchhiker's Guide to the Galaxy , they suggested that the teaspoons were quietly migrating to a planet uniquely populated by "spoonoid" life. They also offered "resistentialism", in which inanimate objects like teaspoons have an aversion to humans. On the other hand, they suggested, people might simply be taking them.


Wednesday, December 28, 2005

Microsoft Windows Zero-Day Making the Rounds - UPDATED

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

Secunia has classified the vulnerability as "Extremely Critical". It is currently unpatched and being exploited in the wild to spread spyware and viruses.

HD Moore has included this new exploit in his Metasploit Framework. The exploit was discovered by "noemaipls" and released onto the Bugtraq Security Mailing List.

Sunbelt Software, makers of CounterSpy, has reported via the FD Security Mailing List seeing this exploited on multiple sites and increasing in use. They also provided several live links to the exploit.

UPDATE (12/28/05) -

Here is the Exploit on the French Security Incident Response Team (FrSIRT) website, a known exploit release site.

Here is a demo video of the exploit from Websense Security Labs.

UPDATE (12/29/05) -

Microsoft has released a Security Advisory titled "Vulnerability in Graphic Rendering Engine Could Allow Remote Code Execution".

All versions of Microsoft Windows are open to this attack. But several special features in Windows 2003 SP1 can mitigate the attack when the vector is e-mail.

CERT Vulnerability Note VU#181038

It has also been reported that Google Desktop may be another potential attack vector and that various anti-virus software products cannot detect all known variants of exploits for this vulnerability.

IMPORTANT NOTE - We must also remember that WMF files can pretend to be other image files (JPEG, GIF, TIF, etc). Just because the file is named .gif, doesn't mean it really is. Windows will read the inside the file, see that it is a WMF and run as normal.

SunBelt has released a

Thursday, December 22, 2005

Sacred Gospel of the Flying Spaghetti Monster Found!!

Ok, it wasn't found...but it is being written. Scheduled for publication in March.

Wired Article and interview with Bobby Henderson - Passion of the Spaghetti Monster

Learn more about the Chruch of the Flying Spaghetti Monster at Wikipedia

-Ramen

Tuesday, December 20, 2005

Its a Wonderful Internet - Happy Bedtime Story

Ok, more humor and fun. It shows you how much the internet has changed our world in that little kid bedtime story kind of way. =)

It's a Wonderful Internet

Thanks Todd P. for the link.

Thursday, December 15, 2005

Building the Real "A-Team"

Ok, so this is the "side of humor" entry. This is great. It cleared up my "case of the Mondays" on this week. Enjoy.

Finding The A-team: A Stuffo Experiment

New Metasploit Framework v3.0 Alpha Release 1

The Metasploit Framework (MSF) is an advanced open-source platform for developing, testing, and using exploit code. The MSF can be roughly compared to commercial offerings such as Immunity's CANVAS and Core Security Technology's Impact. The major difference between the Framework and these commercial products is the focus; while the commercial products need to provide the latest exploits and an intuitive GUI, the Framework was designed to facilitate research and experimentation with new technologies.

The original MSF was written in Perl scripting lanuage and included various components written in C, assembler, and Python. The new 3.0 branch was a complete rewrite of the 2.0 branch using the Ruby programming language.

The primary goals of the 3.0 branch are listed below:
  • Improve automation of exploitation through scripting
  • Simplify the process of writing an exploit
  • Increase code re-use between exploits
  • Improve and generically integrate evasion techniques
  • Support automated network discovery and event correlation through recon modules
  • Continue to provide a friendly outlet cutting edge exploitation technology

Remember this is a *alpha* release, so things will break. Help HD Moore by giving good quality feedback. It is almost crazy to see how this project has expanded and growth. Nice work indeed.

Sorry no Windows support yet, only Linux and Mac OX platforms with Ruby 1.8.x are supported.

Wednesday, December 7, 2005

Nmap 3.94 ALPHA3 Released - UPDATED

Update - Nmap 3.95 has been released, check out http://www.insecure.org/

Nmap is the de facto port scanner in existence today.

Fyodor recently released Nmap 3.94 ALPHA3. He spent all last weekend trimming its waistline. This should reduce the memory consumption on very large network scans. Remember this is an ALPHA release, so treat it as such.

Download Points

Linux Source - http://download.insecure.org/nmap/dist/nmap-3.94ALPHA3.tgz
Linux RPM - http://download.insecure.org/nmap/dist/nmap-3.94ALPHA3-1.src.rpm
Windows Binary - http://download.insecure.org/nmap/dist/nmap-3.94ALPHA3-win32.zip

Nice work Fyodor. Thanks Harlan for catching my error, even if I was late to fix it.

Thursday, December 1, 2005

UPDATED - Gmail to Include Anti-Virus Scanning Soon

Like Yahoo Mail, Gmail will soon start to scan all attachments for viruses. Any detect viruses will be cleaned or deleted. As far as I can tell, it doesn't sound like there is a way to disable this feature - which is sad but understandable.

Since it was first created, Google has locked down some of the "nice" features of Google in the name of security. For example, Zip files are blocked, but this is easily bypassed by renaming the file.

Looks like if you want to trade exploit code or new malware on Gmail, you will need to get your GPG up and working if you want to continue.

Google is not just increasing the security of the free service; they are adding many cool features as well. I really like the AutoSave feature - oh and the 2.5 GB of storage.

Question of the Day - Which Anti-virus product will Google license for Gmail? Sophos? F-Secure? Kaspersky? Trend Micro? Or will it be one of the US Standards - McAfee & Symantec.

UPDATE - Ryan over at thebillygoatcurse.com ran a series of tests and decided that Gmail is using Sophos. His results are very interesting. Thanks Michael for the information.