Windows metafile vulnerabilities

netsec January 4th, 2006

I’ve spent most of my time since this weekend dealing with the latest Windows vulnerability; I’m afraid this one’s a biggie. After doing some research, it sounds more like a poorly crafted feature than a bug – apparently, some group at Microsoft designed a facility for code execution from within a data element! So much for the old “XXX format isn’t executable” argument.

The threat landscape for this one is as frightening as any other exploit I’ve seen; there are several vectors for this vulnerability. Windows parses the WMF file format regardless of whether or not the file has a .wmf extension, Google Desktop Search launches the payload regardless of user input when it indexes WMF files, and Microsoft has been mum regarding a patch for this. Once nice touch – the exploits seen in the wild pad the size of the payload to force ethernet packet fragmentation, obscuring the exploit from network intrusion detection systems.

Note that Microsoft does suggest a workaround which doesn’t hinder system functionality too greatly. There’s also a 3rd-party patch written by a very well-respected developer and is endorsed by SANS. I’ve tried it on my home systems and several systems at work, and it works as advertised.

The Metasploit framework was updated before the new year, and I was able to craft a WMF exploit for testing in 10 minutes.

Regarding Metasploit ethics: there is no need to make tools illegal when there are already laws enacted to cover the use of those tools. As a network manager, access to the tools used by people trying to exploit my network is invaluable, and when you outlaw network security tools…

Hardware Data Execution Protection appears to work as designed. Older hardware using Windows XP software DEP appear vulnerable. Windows 2003 server systems, while included in the advisory are all running in enhanced security mode and appear to be protected from web-based payloads.

The people at F-Secure have a wonderful weblog describing their research — I’m really happy with their products and their contributions to the security community.

And now, I just read that there’s a Win32.Sober variant that’s going to kick off on Friday the 6th…

[tags]Windows metafile, F-Secure, DEP, SANS[/tags]

Possibly Related Posts:


Leave a Reply

You must be logged in to post a comment.