[funsec] WMF Vulnerable Systems

Larry Seltzer larry at larryseltzer.com
Mon Jan 2 23:20:48 CST 2006


One last note before I retire for the night: I was able to trigger an
exploit on Windows 2000 SP4, all up to date, by doing Insert Picture inside
an updated Microsoft Word 2003. I don't find this frightening, but it tends
to confirm the general point that the vulnerability is there, but not any
meaningful vector for exploiting it, until Windows XP

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com 

-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Larry Seltzer
Sent: Monday, January 02, 2006 11:53 PM
To: funsec at linuxbox.org
Subject: RE: [funsec] WMF Vulnerable Systems

It appears, based on offline communication, that my analysis below is
correct with respect to pre-XP exploitation. There is no default association
for WMF, therefore it's much harder to exploit. The flaw in GDI32 is there
and a vulnerable program like Notes would still be vulnerable, but on a
mass-scale they are not easily exploitable because there is no standard
vector for the flaw.

I'm testing now on Windows 2000 (SP4) and the behavior is identical to
Windows 98! No default association for WMF and Paint can't read the files. 

Am I doing something wrong? Has anyone else gotten other results? Because
where I stand this makes the whole issue far less threatening

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com 

-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Larry Seltzer
Sent: Monday, January 02, 2006 10:41 PM
To: 'Richard M. Smith'; funsec at linuxbox.org
Subject: RE: [funsec] WMF Vulnerable Systems

On Win98SE: Nothing

I retested with my own images and with 600pics.com (I'm getting really tired
of looking at it). I got lots of popups with 600pics, but it doesn't look
like I got exploited at all.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com 

-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Richard M. Smith
Sent: Monday, January 02, 2006 10:07 PM
To: funsec at linuxbox.org
Subject: RE: [funsec] WMF Vulnerable Systems

What program is associated with the .WMF file extension on these older
systems?

Richard

-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Larry Seltzer
Sent: Monday, January 02, 2006 10:01 PM
To: funsec at linuxbox.org
Cc: 'Microsoft PR'
Subject: RE: [funsec] WMF Vulnerable Systems

PS - I also tested the out-of-the-box IE (version 5.0) and it wouldn't load
the images from a test page. And there is no shimgvw.dll (or shim*.dll) on
the system

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com 

-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Larry Seltzer
Sent: Monday, January 02, 2006 9:48 PM
To: funsec at linuxbox.org
Subject: [funsec] WMF Vulnerable Systems

This is a little surprising. I had been taking at face value reports from
Microsoft and others that all Windows versions were vulnerable to this flaw,
but I only just now tested a system other than Windows XP.

I just created a fresh Windows 98SE system, no updates. Of course it doesn't
have Picture and Fax Viewer, but I opened a known-malicious WMF file with
Paint and got this message:

	C:\BAD.WMF
	Paint cannot read this file.
	This is not a valid bitmap file, or its format is not currently
supported.

Now this could just mean that Paint in this version of Windows cannot read
WMF files, but that the GDI32 flaw is still there. Perhaps, for example,
Lotus Notes on this OS would be vulnerable. Still, I'd have to conclude that
this platform is significantly less vulnerable than XP.

My next step is to run Windows Update (probably a dozen times) to get 98 as
up to date as it can be and retest.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.




More information about the funsec mailing list