RE: WMF round-up, updates and de-mystification
It looks like MS has backed off on viewing mail as a possible attack vector. As of today, the advisory (http://www.microsoft.com/technet/security/advisory/912840.mspx) reads: In an E-mail based attack involving the current exploit, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. At this point, no attachment has been identified in which a user can be attacked simply by reading mail. However, the advisory now includes this (incorrect) piece of information: Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector? No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we're not aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts. -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 03, 2006 3:29 AM To: bugtraq@securityfocus.com Cc: full-disclosure@lists.grok.org.uk; FunSec [List] Subject: WMF round-up, updates and de-mystification Quite a bit of confusing and a vast amount of information coming from all directions about the WMF 0day. Here are some URL's and generic facts to set us straight. The patch by Ilfak Guilfanov works, but by disabling a DLL in Windows. So far no problems have been observed by anyone using this patch. You should naturally check it out for yourselves but I and many others recommend it until Microsoft bothers to show up with their own patch. Ilfak is trusted and is in no way a Bad Guy. You can find more information about it at his blog: http://www.hexblog.com/2005/12/wmf_vuln.html If you are still not sure about the patch by Ilfak, check out the discussion of it going on in the funsec list about the patch, with Ilfak participating: https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Occasional information of new WMF problems keep coming in over there. In this URL you can find the best summary I have seen of the WMF issue: http://isc.sans.org/diary.php?storyid=994 by the SANS ISC diary team. In this URL you can find the best write-up I have seen on the WMF issue: http://blogs.securiteam.com/index.php/archives/167 By Matthew Murphy at the Securiteam Blogs. Also, it should be noted at this time that since the first public discovery of this problem, a new one has been coming in - every day. All the ones seen so far are variants of the original and in all ways the SAME problem. So, it would be best to acknowledge them as the same... or we will keep having a NEW 0day which really isn't for about 2 months when all these few dozen variations are exhausted. A small BUT IMPORTANT correction for future generations: The 0day was originally found and reported by Hubbard Dan from Websense on a closed vetted security mailing list, and later on at the Websense public page. All those who took credit for it took it wrongly. Thanks, and a better new year to us all, Gadi.
WMF exploit
Hi, I like what SANS is saying about the current MS announcement to deliver a patch by Jan 10, 2006, but not earlier: http://isc.sans.org/diary.php This is the interesting part: Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread. - Microsoft Security Advisory (912840) First, there are many websites which intentionally includes Iframes to malware WMF files (like some crack, XXX or patch websites). Besides this, there were some mass hacks of usually more trustworthy web sites -- now, the websites will still render fine, but the included WMF file will be started automatically. We have analysed some 100 malware WMF files and they can do almost anything. We saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie programs), as well as password-spying programs which are looking for PINs and TANs for online banking attacks. I expect that some 1,000 websites are already compromised. One of the malware apps we have discovered at 2005-12-29 (some days ago!) already had a build-in infection counter at a (hidden) website and we saw the number 233,000. This means, a few days back, some 100,000 PCs seems to be compromised already. Today, the website is still working, and has delivered more than 1,000,000 malware installation files already. With 1+ million PCs under your control, you can do almost everything! This means, the issue is extremely critical, even if the current attack vector seems to be websites only. We already saw a few malware WMF files in e-mails, but not many. The chances are good, however, that we might see a worm in the next few days which spreads using WMF files and e-mail as infection vector. Well, I can't understand why Microsoft is considering some 1,000,000 infections as being not widespread. And that's the counter for just ONE special malware file! Note: I've informed MS ([EMAIL PROTECTED]) about the malware links, the counter and I've send them the malware WMF files as well as the downloaded EXE files some days ago already. cheers, Andreas http://www.av-test.org __ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
Another WMF exploit workaround
For those interested, Core FORCE its a free endpoint security software currently in Beta stage. With it users can configure access control permissions to file system objects independently of the operating System's ACLs and security policy enforcement mechanisms. The default security profiles of IE and FireFox included the package distribution prevented exploitation of the WMF bug through those vectors. Simply because they denied execution of rundll32.exe from within IE or Firefox. The same applies to the MSN Messenger profile submitted to the profiles repository site. Furthermore you can explicitly configure permissions to deny log read/exec access to shimgvw.dll system wide or on per application basis. This is functionally equivalent to Microsoft's suggested workaround of unregistering the DLL but the advantage is that it does not matter if some program registers it back or if somehow a program tries to load and execute the DLL in anyway. Core Force is available at http://force.coresecurity.com As I said, it is still beta make sure you read the software compatibility and known issues list and the docs. -ivan -- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 [EMAIL PROTECTED] www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
Download Accelerator Plus can be tricked to download malicious file
Product(ONLY TESTED ON): Download Accelerator Plus 7.4.0.2 (unregistered) Test Environment: Winxp Pro sp2 (patch level latest) Risk Type: Rare exception Threat Level: High Vendor website:www.speedbit.com POC screenshots: http://img482.imageshack.us/img482/4205/31uk.jpg http://img425.imageshack.us/img425/4380/15an.jpg speedbit.com claims to have 110 million users of DAP world wide and is one of the popular and best download manager for windows. One of its biggest strength to download big files in a faster connection at optimum speed is, it can automatically search for best mirrors and download different parts of the file form multiple location. BUT Download Accelerator Plus(DAP) may switch its download to a un trusted or malicious website while searching for fastest mirrors for a particular file under certain conditions. If the ACTUAL, trusted host providing the file is DOWN or due to network congestions the users may get and execute a malicious file instead. I've included two screenshots which should be self explanatory. Check out the urlÂ’s in each screenshot and see from where the file is being received at the end. In the screenshot I'm trying to download 'Windows 2003 sp1' from download.microsoft.com but DAP automatically chooses to download it only from ftp.planet.nl as my network was having to low internet bandwidth at that time. Further more, on some network/OS there might be rules for MAX CONNECTION PER HOST and (say)if in the network someone is already downloading some file from download.microsoft.com the outcome will surely be a VIRTUAL network congensation for download.microsoft.com within that DMZ. For my test I used another client computer behind the gateway to send continuous ping ( 17 different instants) to download.microsoft.com As a result, for my network download.microsoft.com was off the radar. So, in my another computer DAP chooses to download Win2003 sp1 from ftp.planet.nl instead. So, even after my network gained its full throttle... no-wounder DAP was still downloading the file from ftp.planet.nl My test network setup was a 3 computer PC which was left on default configuration with Winxp sp2 (patchlevel: latest) Changes: This advisory is slightly modified than the one that I emailed to the vendor about a week back and tried contacting it, but with no response till now! Result: I was receiving the file from an unknown and un-trusted source which could be infected with a malicious program. BUT fyi: I haven't researched on HOW and WHERE 'DAP' queries to get other possible mirrors for the particular file. Conclusion: I insist NOT to use download managers that does the same while downloading important files. Or either force your download manager and check whether the file is being downloaded from the original URL or not. Regards, -Bipin Gautam
[eVuln] Lizard Cart CMS SQL Injection Vulnerability
New eVuln Advisory: Lizard Cart CMS SQL Injection Vulnerability Summary Software: Lizard Cart CMS Sowtware's Web Site: http://sourceforge.net/projects/lizardcart Versions: 1.04 Critical Level: Dangerous Type: SQL Injection Class: Remote Status: Unpatched Exploit: Available Solution: Available Discovered by: Aliaksandr Hartsuyeu (eVuln.com) Published: 2006.01.03 eVuln ID: EV0012 -Description-- Vulnerable scripts: pages.php detail.php Variable $id isn't properly sanitized before being used in a SQL query. This can be used to make any SQL query by injecting arbitrary SQL code. Customers personal data is threatened. Conditions: register_globals = on gpc_magic_quotes = off --Exploit- http://host/lizard/pages.php?id=-1'%20union%20select%201,2,3/* http://host/lizard/detail.php?id=-1'%20union%20select%201,2,3,4,5,6,7,8/* Conditions: register_globals = on gpc_magic_quotes = off --Solution- No patch availabve. Edit source code. Quotes sanitation is needed. --Credit- Original Advisory: http://evuln.com/vulns/12/summary.html Discovered by: Aliaksandr Hartsuyeu (eVuln.com)
Re: WMF Exploit
On Tue, 3 Jan 2006, Sam Munro wrote: I haven't seen this mentioned yet so I thought I would give you guys a heads-up a very good patch has been written by Ilfak Guilfanovhttp://www.hexblog.com/2005/12/wmf_vuln.html as a tempory solution until ms get their act together. Can be downloaded here: http://www.hexblog.com/security/files/wmffix_hexblog14.exe Ilfak's hexblog.com is down. CastleCops is hosting the downloads now and there is a hexblog forum setup which Ilfak himself is moderating: http://castlecops.com/f212-Hexblog.html The downloads, etc can be found here: http://castlecops.com/postlite143213-.html -- Paul Laudanski, Microsoft MVP Windows-Security [cal] http://events.castlecops.com [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
New from the MS Advisory
*What's Microsoft's response to the availability of third party patches for the WMF vulnerability? Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft's security updates are offered in 23 languages for all affected versions of the software simultaneously. Microsoft cannot provide similar assurance for independent third party security updates. * Why is it taking Microsoft so long to issue a security update? Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.
Re[2]: [funsec] WMF round-up, updates and de-mystification
Good Day, Tuesday, January 3, 2006, 12:59:22 PM, you wrote: GE The patch by Ilfak Guilfanov works, but by disabling a DLL in Windows. PV I wouldn't say it does that. If you really want to simplify it in the LS extreme, it hides the vulnerable function. LS Think of it as a White Hat Rootkit Or merely a TSR hooking an interrupt vector. It doesn't hide itself. It doesn't allow any kind of remote access to anything. I can't see how it could even be remotely described as a rootkit. -- Best regards, Pierremailto:[EMAIL PROTECTED]
Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Response == This is the Cisco Product Security Incident Response Team (PSIRT)'s response to the statements made by Oleg Tipisov in his message with subject Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability, posted to Bugtraq on 2005-Dec-21. An archived version of this message can be found here: http://www.securityfocus.com/archive/1/420020 Cisco confirms the statements made by Mr. Tipisov, and has published a Field Notice to document the vulnerability and provide solutions and workarounds. The Field Notice can be found at the following location: Field Notice: FN - 61965 - CS ACS for Windows Downloadable IP Access Control List Vulnerability http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00805bf1c4.shtml We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. Best regards, - -- Eloy Paris Product Security Incident Response Team (PSIRT) Cisco Systems, Inc. Ph: +1 919 392-9118 Cell: +1 919 349-2990 Pager: (888) 347-7178 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDtZhkagjTfAtNY9gRAqhTAKCZ2HRGCLXu86ng/jJa3uaynVNQTACglVDA JuYN8eOPy9HdQct1yR86GWY= =swKK -END PGP SIGNATURE-
MDKSA-2005:239 - Updated printer-filters-utils packages fix local vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2005:239 http://www.mandriva.com/security/ ___ Package : printer-filters-utils Date: December 30, 2005 Affected: 10.1, 10.2, 2006.0, Corporate 2.1, Corporate 3.0 ___ Problem Description: newbug discovered a local root vulnerability in the mtink binary, which has a buffer overflow in its handling of the HOME environment variable, allowing the possibility for a local user to gain root privileges. Mandriva encourages all users to upgrade immediately. The updated packages have been patched to correct these problems. ___ Updated Packages: Mandriva Linux 10.1: 833eb7cba3b34208a5ec1979d2490371 10.1/RPMS/cups-drivers-10.1-0.2.1.101mdk.i586.rpm df172c9129d7cb3251aa24353cef1414 10.1/RPMS/foomatic-db-3.0.1-0.20040828.1.1.101mdk.i586.rpm 873aee9e441369d7e2ce8f945a789925 10.1/RPMS/foomatic-db-engine-3.0.1-0.20040828.1.1.101mdk.i586.rpm e193276ae1ac7999dcac95b5f4818665 10.1/RPMS/foomatic-filters-3.0.1-0.20040828.1.1.101mdk.i586.rpm ead8d555f3ad75128e1c42c6299b5cc8 10.1/RPMS/ghostscript-7.07-25.1.101mdk.i586.rpm fc2d68dafadddf8e7b8cbee0f5adf1b7 10.1/RPMS/ghostscript-module-X-7.07-25.1.101mdk.i586.rpm 58ff4b34e057c9e0a11f31beb43e736c 10.1/RPMS/libgimpprint1-4.2.7-8.1.101mdk.i586.rpm 150219563c1d95c96b504b4341ec733e 10.1/RPMS/libgimpprint1-devel-4.2.7-8.1.101mdk.i586.rpm 3eda515df62318ef628d4af2272998c6 10.1/RPMS/libijs0-0.34-82.1.101mdk.i586.rpm 914fa246d571a9f648f6e91bec97c7e1 10.1/RPMS/libijs0-devel-0.34-82.1.101mdk.i586.rpm a2c155c01c4f677b408df4db5b28d8f7 10.1/RPMS/printer-filters-10.1-0.2.1.101mdk.i586.rpm 97ec144c4270ef5474105654f86f8d91 10.1/RPMS/printer-testpages-10.1-0.2.1.101mdk.i586.rpm 20b613b48413d15ecbeed1889ee2db9d 10.1/RPMS/printer-utils-10.1-0.2.1.101mdk.i586.rpm 588d8fc15e1765dead61168c398c7acd 10.1/SRPMS/printer-drivers-10.1-0.2.1.101mdk.src.rpm Mandriva Linux 10.1/X86_64: 1c20a78cf9ae1939762e08eb61fb1a7f x86_64/10.1/RPMS/cups-drivers-10.1-0.2.1.101mdk.x86_64.rpm eaee592929c55ac3e88d436a132b465a x86_64/10.1/RPMS/foomatic-db-3.0.1-0.20040828.1.1.101mdk.x86_64.rpm b15c15f7644b32f00053d4ecf123267a x86_64/10.1/RPMS/foomatic-db-engine-3.0.1-0.20040828.1.1.101mdk.x86_64.rpm 59c8e395e77860b96504fa670d7c8839 x86_64/10.1/RPMS/foomatic-filters-3.0.1-0.20040828.1.1.101mdk.x86_64.rpm 537239840311aaba8129fb749ce1509b x86_64/10.1/RPMS/ghostscript-7.07-25.1.101mdk.x86_64.rpm 0c3e32326c29fbe06cbcfae16698200b x86_64/10.1/RPMS/ghostscript-module-X-7.07-25.1.101mdk.x86_64.rpm 5a11c2a30e84739e85d18ca438f8b963 x86_64/10.1/RPMS/lib64gimpprint1-4.2.7-8.1.101mdk.x86_64.rpm c611162f5f12ecb0e520c5d509571baa x86_64/10.1/RPMS/lib64gimpprint1-devel-4.2.7-8.1.101mdk.x86_64.rpm ceba311210763f7cdf604276157a28ec x86_64/10.1/RPMS/lib64ijs0-0.34-82.1.101mdk.x86_64.rpm dd5c1c64fea96890ea9d39be1fd1a85a x86_64/10.1/RPMS/lib64ijs0-devel-0.34-82.1.101mdk.x86_64.rpm 366888432e116d99a229df11be659703 x86_64/10.1/RPMS/printer-filters-10.1-0.2.1.101mdk.x86_64.rpm 1b72ed7858ceb7c0a906646fe3db8cb6 x86_64/10.1/RPMS/printer-testpages-10.1-0.2.1.101mdk.x86_64.rpm dd7474b62a02bad43056e010872eb258 x86_64/10.1/RPMS/printer-utils-10.1-0.2.1.101mdk.x86_64.rpm 588d8fc15e1765dead61168c398c7acd x86_64/10.1/SRPMS/printer-drivers-10.1-0.2.1.101mdk.src.rpm Mandriva Linux 10.2: 3f07497eb509081c5fff4147907dba32 10.2/RPMS/cups-drivers-10.2-0.11.2.102mdk.i586.rpm 4ff88a1dd559489dbea3bb518cc79b00 10.2/RPMS/printer-filters-10.2-0.11.2.102mdk.i586.rpm 9c3579660b29c580fe27d8b9e085e84e 10.2/RPMS/printer-utils-10.2-0.11.2.102mdk.i586.rpm 3d41b62b1838db0d2b7501af358a338a 10.2/SRPMS/printer-filters-utils-10.2-0.11.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 50c3f0de464f1f67ed3dc7ee69c3fab4 x86_64/10.2/RPMS/cups-drivers-10.2-0.11.2.102mdk.x86_64.rpm 48b43405d91f82121a276e21a0bd0567 x86_64/10.2/RPMS/printer-filters-10.2-0.11.2.102mdk.x86_64.rpm 2a55ab47afa103065214001c02f24463 x86_64/10.2/RPMS/printer-utils-10.2-0.11.2.102mdk.x86_64.rpm 3d41b62b1838db0d2b7501af358a338a x86_64/10.2/SRPMS/printer-filters-utils-10.2-0.11.2.102mdk.src.rpm Mandriva Linux 2006.0: f19ded0f4a4644282393580bbb27409f 2006.0/RPMS/cups-drivers-2006-7.1.20060mdk.i586.rpm 4ef9cf12980d66596e6227b877bcb6f3 2006.0/RPMS/printer-filters-2006-7.1.20060mdk.i586.rpm 9f38f51c69ae767c67608fb1fb3acc55 2006.0/RPMS/printer-utils-2006-7.1.20060mdk.i586.rpm 053fe840e3ec42a658b26d930f043370 2006.0/SRPMS/printer-filters-utils-2006-7.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 1bffd0d102b8e0b20fef30436493c47f x86_64/2006.0/RPMS/cups-drivers-2006-7.1.20060mdk.x86_64.rpm
RE: WMF Exploit
All, I think I was able to get the SAFER mechanism to block this for IE, and any program covered under it. I know that there are other workarounds, but I have found the SAFER approach has stopped every one of these sorts of attacks. I have a vbscript that activates SAFER for IE, and various other client apps. Email me at this address if you want me to send it out to anyone. Thanks! -Original Message- From: Bill Busby [mailto:[EMAIL PROTECTED] Sent: Thursday, December 29, 2005 1:35 PM To: Hayes, Bill; [EMAIL PROTECTED] Cc: bugtraq@securityfocus.com Subject: RE: WMF Exploit It is not only *.wmf extensions it is all files that have windows metafile headers that will open with the Windows Picture and Fax Viewer. Any file that has the header of a windows metafile can trigger this exploit. --- Hayes, Bill [EMAIL PROTECTED] wrote: CERT now has posted Vulnerability Note VU#181038, Microsoft Windows may be vulnerable to buffer overflow via specially crafted WMF file (http://www.kb.cert.org/vuls/id/181038). The note provides additional details about the exploit and its effects. Very few workarounds have been proposed other than blocking at the perimeter and possibly remapping the .wmf extension to some application other than the vulnerable Windows Picture and Fax Viewer (SHIMGVU.DLL). Bill... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 28, 2005 4:18 PM To: bugtraq@securityfocus.com Subject: WMF Exploit Another quick observation, again, I apologize if this information has already been posted; I haven't been able to read all the posts today. The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never explicitly opened. This is enough to trigger the exploit. Even more frightening is that you don't have to use the thumbnail view for a thumbnail to be generated. Under some circumstances, just single-clicking on the file will cause it to be parsed. David Byrne __ Yahoo! for Good - Make a difference this year. http://brand.yahoo.com/cybergivingweek2005/
Re: WMF browser-ish exploit vectors
Evans, Arian wrote: Due to IE being so content help-happy there are a myriad of IE-friend file types (e.g.-.jpg) that one can simply rename a metafile to for purpose of web exploitation, and IE will pull out the wonderful hey; you're-not-a-jpeg-you're-a-something-else-that-I-can- -automatically-handle trick err /feature/ for you. This is what MS stupidly calls MIME type detection -- ferrcrissakes, MIME Type is _defined_ by the server (or MIME headers in Email, etc) so there is no such thing as MIME Type detection; you are either told it by the server (message's MIME headers, etc) or you are not. MS' other name for this -- data sniffing -- describes the process rather than the function. It is file format detection. Anyway, a (given MS' past, probably partial/incomplete) listing of such things and an outline of the logic IE employs in doing this is: MIME Type Detection in Internet Explorer http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_ a.asp Windows Explorer/My Computer preview/thumbnail thingy=IE for purposes of rendering engine. snip Yep. Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc candy is a JPEG also renamed doc, and win32api is a JPEG renamed to wmf. Mix and match to your hearts content. obvious snip A problem with the above, IE-specific description of data sniffing, is that in the Explorer context (and some other shell contexts, and these vary in different versions of Windows) some other forms of format detection are also employed (rename a .EXE, or any kind of OLE2 format file, to an unregistered extension and start playing around...). Also, don't forget the embedding of one kind of file into another, such as shell scraps (.SHS/.SHB), other OLE2 formats (Word, Excel, etc, etc) and so on. Regards, Nick FitzGerald
