WMF day-0 exploit
There is a security breach in the WMF (an old vectorial file format) support of Windows.
This is peculiar because :
- It’s not protected by DEP by default
- Even when it is, DEP may fail to protect the system
- It may be used to infect any 32bit Windows as well as x64 an Itanium versions
- It will infect users of Firefox, Opera and other alternative browsers and/or mail clients
- If you have a local indexing service it may even infect systems using text only browsers or other get utilities
- Visiting a malicious link, downloading a file without even opening its folder, even letting some antivirus programs scan your email can lead to infection
You can read more about it in these places :
http://isc.sans.org/diary.php?storyid=975
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html
Update:
Here are some attacking scenarios not included in the posts I read about the problem :
- Malicious user copying infected files on a network share on a computer using an indexing service (it could be your file server if for whatever reason you have an indexing service running on it
- Malicious user copying infected files on a network share on a computer which for whatever reason reads an image from the disk on an overwritable location
- Internal malicious attacks on intranets
- Very easy trap with instant messaging and P2P applications (since with indexing apps it might kill on just having the file..)
- Malicious user overwriting the setup image of any software install disk shared on a network share
- Forums and other “upload your photo” websites. I can’t wait to hear the first user on any forum complaining about the avatar of user X being a malicious wmf renamed as png. Maybe we will not hear him because everytime he enters the forum to complain he has to reinstall Windows
Buffer overflow attacks bypassing DEP (NX/XD bits) - part 2 : Code injection
While the attack we’ve seen in the first part are indeed powerful, they are limited to simple calls to functions already linked by the program we’re going to attack. To appreciate full power we should exploit the technique used in the first part for injecting arbitrary code in the program.
The first experiment I tried was calling VirtualProtect to change the permissions on the stack. However it requires to know the exact address that was used in a previous call to VirtualAlloc to work properly, and I couldn’t find an immediate way to know that address. After that I investigated to check if I could trick the memory manager in changin permissions using VirtualAlloc. Doing this I found this wonderful blog article. Take your time and read it, it’s very interesting. Now, that’s time to try his trick on an executable.
Buffer overflow attacks bypassing DEP (NX/XD bits) - part 1 : Simple Call
Premise
All you read here (and its sequel posts) is just a concrete implementation of many proposed ways to exploit buffer overflows to execute arbitrary code; in particular this post will focus on bypassing the DEP (Data Execution Prevention) which uses the NX bit on AMD chips and XD bit on Intel chips to prevent code execution from data segments (NX and XD are, as far as I know, the same bit with two different names so that Intel’s pride was satisfied - just like amd64 techology is also called x86-64, x64, aa64 and em64t - wasn’t a name enough ? :|) .
The DEP is really a needed feature which was incredibly missing from x86 (ia32 ;)) processors. It is a good protection which effectively makes harder to write exploits for unchecked buffers bugs. However it doesn’t make them impossible - it just makes them slightly harder to do.
If this post (and its sequels) strikes you down in fear, then remember to update all your applications to the latest versions and check them consistently for bugfixes repairing buffer overflows, and if you are a programmer, triple check your code to look for these bugs.
Please, note also that nothing in these posts is an original idea, since these methods are discussed in theory in many sites around the internet. What was missing was a proof of concept of those exploits, which you can find here.
