© sans institute 2005 sans internet storm center wmf workarounds and patches
TRANSCRIPT
© SANS Institute 2005 http://isc.sans.org
SANS Internet Storm CenterWMF workarounds and patches
http://isc.sans.org
© SANS Institute 2005 http://isc.sans.org
Outline
How does WMF work?
How does the exploit work?
What does the Microsoft recommendation do?
What does the unofficial patch do?
© SANS Institute 2005 http://isc.sans.org
About the Internet Storm Center
Cooperative Incidents Response Community
Volunteer Operated (about 40 ISC Handlers)
vendor neutral
operating the largest worldwide sensor network, DShield.org.
depending on input from readers and volunteers donating a large part of their holiday weekend.
© SANS Institute 2005 http://isc.sans.org
WMF: how it works
WMF fileApplication
shimgvw.dll
GDI32.DLL
© SANS Institute 2005 http://isc.sans.org
WMF: how it works
A WMF file finds its way onto a windows machine
The application opening the file calls shimgvw.dll
Which in turns call GDI32.DLL do to the actual work
© SANS Institute 2005 http://isc.sans.org
WMF: exploit
WMF fileApplication
shimgvw.dll
GDI32.DLL
Escape()
exploit
© SANS Institute 2005 http://isc.sans.org
WMF: exploit
A WMF exploit is an image with a potentially huge payload of exploit code
The application will open the file and call shimgvw.dll
Which will call GDI32.DLL
But the function calls in the image data will cause the Escape() of GDI32.DLL to jump back to the data (now code) in the image itself.
From there on it depends on the payload what will happen next …
© SANS Institute 2005 http://isc.sans.org
WMF: Microsoft unregister
WMF fileApplication
Shimgvw.dll
GDI32.DLL
Escape()
exploit XWho’s gonna call ?
© SANS Institute 2005 http://isc.sans.org
WMF: Microsoft’s solution
Microsoft advised to unregister the shimgvw.dll in order to break the chain that leads to the vulnerable Escape() in GDI32.DLL
This will work for all applications that follow this path, but
Nothing prevents direct calls to GDI32.DLL from being made by other applications
Some applications (e.g. mozilla) rely on the functionality provided by shimgvw.dll to do things people use in daily life
The library might be registered again by other software
Aside of the unregistration, Microsoft also recommends:
user awareness, not surfing to “bad” places and all other sorts of generic solutions that are not relevant to this problem.
to keep anti-virus signatures up to date, but our tests show that many anti-virus products trigger on the payload if they trigger at all. And the payload of the successful massive attack will be new.
© SANS Institute 2005 http://isc.sans.org
WMF: how it works: unofficial patch
WMF fileApplication
shimgvw.dll
GDI32.DLL
Escape()
exploit
UNOFFICIAL PATCH
© SANS Institute 2005 http://isc.sans.org
WMF: how it works: unofficial patch
The unofficial patch protects the in-memory copy of GDI32.DLL by preventing access to the vulnerable Escape() function.
This patch was made by Ilfak Guilfanov.
Unofficial patches generally are indeed a bad idea, but:
This patch was reviewed and vetted by Tom Liston, handler at the Internet Storm Center.
There is no other proper solution till Microsoft fixes things.
The bad guys now know the deadline: they have 1 week to come up with the über-payload to infect millions.
Do you want to be among the casualties ?
Or do you want to be prepared to the best of your abilities?