WMF day-0 exploit

There is a security breach in the WMF (an old vectorial file format) support of Windows.
This is peculiar because :

• It’s not protected by DEP by default
• Even when it is, DEP may fail to protect the system
• It may be used to infect any 32bit Windows as well as x64 an Itanium versions
• It will infect users of Firefox, Opera and other alternative browsers and/or mail clients
• If you have a local indexing service it may even infect systems using text only browsers or other get utilities
• Visiting a malicious link, downloading a file without even opening its folder, even letting some antivirus programs scan your email can lead to infection

You can read more about it in these places :

http://isc.sans.org/diary.php?storyid=975
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html

Update:
Here are some attacking scenarios not included in the posts I read about the problem :

• Malicious user copying infected files on a network share on a computer using an indexing service (it could be your file server if for whatever reason you have an indexing service running on it
• Malicious user copying infected files on a network share on a computer which for whatever reason reads an image from the disk on an overwritable location
• Internal malicious attacks on intranets
• Very easy trap with instant messaging and P2P applications (since with indexing apps it might kill on just having the file..)
• Malicious user overwriting the setup image of any software install disk shared on a network share
• Forums and other “upload your photo” websites. I can’t wait to hear the first user on any forum complaining about the avatar of user X being a malicious wmf renamed as png. Maybe we will not hear him because everytime he enters the forum to complain he has to reinstall Windows

Buffer overflow attacks bypassing DEP (NX/XD bits) - part 2 : Code injection

While the attack we’ve seen in the first part are indeed powerful, they are limited to simple calls to functions already linked by the program we’re going to attack. To appreciate full power we should exploit the technique used in the first part for injecting arbitrary code in the program.

The first experiment I tried was calling VirtualProtect to change the permissions on the stack. However it requires to know the exact address that was used in a previous call to VirtualAlloc to work properly, and I couldn’t find an immediate way to know that address. After that I investigated to check if I could trick the memory manager in changin permissions using VirtualAlloc. Doing this I found this wonderful blog article. Take your time and read it, it’s very interesting. Now, that’s time to try his trick on an executable.

Read more

Buffer overflow attacks bypassing DEP (NX/XD bits) - part 1 : Simple Call

Premise

All you read here (and its sequel posts) is just a concrete implementation of many proposed ways to exploit buffer overflows to execute arbitrary code; in particular this post will focus on bypassing the DEP (Data Execution Prevention) which uses the NX bit on AMD chips and XD bit on Intel chips to prevent code execution from data segments (NX and XD are, as far as I know, the same bit with two different names so that Intel’s pride was satisfied - just like amd64 techology is also called x86-64, x64, aa64 and em64t - wasn’t a name enough ? :|) .

The DEP is really a needed feature which was incredibly missing from x86 (ia32 ;)) processors. It is a good protection which effectively makes harder to write exploits for unchecked buffers bugs. However it doesn’t make them impossible - it just makes them slightly harder to do.

If this post (and its sequels) strikes you down in fear, then remember to update all your applications to the latest versions and check them consistently for bugfixes repairing buffer overflows, and if you are a programmer, triple check your code to look for these bugs.

Please, note also that nothing in these posts is an original idea, since these methods are discussed in theory in many sites around the internet. What was missing was a proof of concept of those exploits, which you can find here.

Read more

← Previous Page

• Recently Written

  • Easy Setup of Remote Debugging
  • Top 10 music for programming
  • A smarter but not smartest greedy algorithm for hotel bookings
  • Machines with the same SID are not a problem
  • AeroCycle applet
  • Porting .NET app to Vista.. DEP strikes!
  • TargetInvocationException in asynchronous web service call
  • New gmail iGoogle gadget bugged!
  • OpenSUSE 11.0 - Nurnberg down.
  • Repair broken xfce after theme selection

• Categories

  • Funny (maybe)
  • Gaming
  • Geeky side of life
  • Linux
  • Programming
    • .NET
    • C++
    • Code Snippets
    • Win32
    • x86/64 (amd64) specific
    • x86/ia32 specific
  • Rants
  • Security
  • Software releases
  • Sport Events
  • Uncategorized
  • Usability

• Archives

  • February 2010
  • November 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • July 2008
  • June 2008
  • April 2008
  • March 2008
  • January 2008
  • December 2007
  • November 2007
  • August 2007
  • March 2007
  • February 2007
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • May 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005

• Admin

  • Login
  • WordPress
  • XHTML

• 
  

• About

  A blog about whatever gets on my computer or any other programmable device I own. From Linux to .NET.

• Social Networking


www.flickr.com

This is a Flickr badge showing public photos from Marco Mastropaolo. Make your own badge here.

• Blogroll

  • Ale+Ale - … Ale+Ale!
  • Blog di Paolone (it) - (Italian) Il blog di un amico :)
  • Bruce Eckel’s Free Electronic Books - Free Thinking in Java, C++, Patterns books. A must!
  • Code Project - Free code snippets for Windows
  • Dilbert - Where everyday work becomes comics
  • Eriadan (it) - (Italian) IL blog a fumetti
  • Freshmeat - Free (as in freedom) software for *nix systems
  • Full Frontal Nerdity - A comic for nerds and alikes
  • gotAPI - Language manuals and guides
  • IlTucci (it) - Blog di un caro amico!
  • Larry Osterman - Techblog of an experienced Microsoft developer
  • Lightforce Games (Flash&JS)
  • my del.icio.us page - my del.icio.us page
  • Online virus scanning - Online virus scanning
  • Order of the Stick - Best D&D Comic EVER!
  • pinvoke.net - Wiki for P/INVOKE from .NET languages (C#, VB.NET)
  • Programmers Heaven - Free programming resources
  • ScriptSpot (3dsmax) - Free scripts for 3ds max
  • Sourceforge - The biggest free (as in freedom) software library
  • SpamUsement - Great site, where everyday spam becomes funny comics :)
  • Sudoku di Repubblica (it) - Il sudoku di Repubblica! :)
  • Tom’s Bug Blog - Brain teasers for programmers