[Dshield] WMF - SETABORTPROC alarms

bschnzl@cotse.net bschnzl at cotse.net
Mon Jan 2 07:10:20 GMT 2006


Folks...

   I would like to examine the relative risk involved with the WMF - 
SETABORTPROC (heretofore "WMF") issue.  Setting aside responsible 
disclosure issues, I believe the vulnerability is not as pressing as 
others in the past.  Resources used in testing the "unofficial" patch 
are better used elsewhere.  Insight from replies will guide my 
response to this disclosure.

   Here is my analysis of the disclosure.  The potential for 
automatic exploit is low.  If one limits user shell activity on 
critical machines properly, exposure is reduced, and native recovery 
platforms remain available.  The exploit renders privilege in the 
current security context, requiring additional functionality to 
perform administrative level functions.  As well, limiting NetBIOS 
connections across network boundaries removes the largest exposure.  
Best Practices already indicate more controlled environments for Road 
Warriors, increasing this risk only marginally.

   The vulnerability requires the opening of a graphic file.  This is 
decidedly a user function.  Windows Explorer will do this to every 
file in opened directories, but the user has to open the directory.  
Thus, the speed with which any malware will travel through a network 
is reduced below that of the Nimda and Zotob worms, for instance.

   Those with access to critical machines are more likely to know 
that reading your personal mail on a server is not recommended.  
While browsing the web is certainly doable on a windows server, 
hopefully administrators know that is not a good idea.  Generally, 
these users have better ideas of how they will do things when they 
start pushing the mouse around.  With more deliberate action paths 
comes less risk, in this case especially.

   This exploit compromises the user's account only.  Hopefully users 
are limited in what they can do to their physical workstations.  
Certainly they should be limited to how they can make changes on the 
server.  While any compromise is dangerous, real system damage 
requires another attack in this case.  That gives those who practice 
defense-in-depth another opportunity to detect the intrusion.  Again, 
it could be worse.

   In this day and age, most of us know that allowing NetBIOS to the 
open internet is asking for trouble.  In the case of a file finding 
its way on to shared drive spaces still only infects the workstations 
that open it.  The server that hosts that file can be cleaned from a 
command line.  As well, in the case of older variants, the server 
provides a second chance at detection.

   Road warriors remain a problem, but this particular issue does not 
increase the risk as much as simply connecting to uncontrolled 
networks.  The connection risk indicates increased education effort, 
and quarantine procedures.  These steps provide momentum toward 
handling any compromise along this vector.  I feel justified in 
listing this as a marginal increase in risk.

   While my own experience is that few networks practice the above 
steps in a comprehensive way, much progress has been made.  Today's 
networks are much more resistant to this sort of vulnerability than 
just a year ago.  Some networks have been compromised by using this 
exploit.  Fewer still will notice.  That responsibility rests 
squarely on the management and administrators of each network.  With 
that level of resources applied, I find it hard to recommend an 
"unofficial" patch. 

   Your thoughts are appreciated.  Please include my address on the 
to line for replies.  


Bill Scherr, IV  GSEC, GCIA
Jericho, VT

Key fingerprint = 4687 DEB0 E772 B94F 383E  8CB2 F2FC A46D A4A2 DC71
uid Bill Scherr IV <bschnzl at cotse.net>
KID 0xA4A2DC71



More information about the list mailing list