[Dshield] WMF - SETABORTPROC alarms

bschnzl@cotse.net bschnzl at cotse.net
Tue Jan 3 05:11:58 GMT 2006

Hash: SHA1


   Thanks for everyone's input.  Here is a rundown of the WMF vulnerability so far.  I will start with Microsofts version, then some contrasting opinions.  First let me state that currently, this is the hottest issue on the list, by default.  This is the issue du jour.

   Microsoft security advisory 912840
   Quotes from: http://www.microsoft.com/technet/security/advisory/912840.mspx
   "Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site."
   "In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability"
   "In both the web and email based attacks, the code would execute in the security context of the logged-on user."
   Quotes from: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
   Status: "Candidate"
   Vector: "Windows Picture and Fax Viewer (SHIMGVW.DLL)"
   Result: "allows remote attackers to execute arbitrary code"
   U.S. CERT VU#181038
   Quotes from: http://www.kb.cert.org/vuls/id/181038
   "The GDI Escape function allows an application to access capabilities of a device that are not directly available through GDI. For example, a print job can be cancelled via a GDI Escape call."
   "Current public exploits use the SETABORTPROC GDI Escape function to execute arbitrary code when viewed."
   "However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL)."
   "A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted Windows Metafile."
   "Metric: 53.58"
   SecurityFocus BID 16074
   Quotes from: http://www.securityfocus.com/bid/16074/
   "The issue may be exploited remotely or by a local attacker. Any remote code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file."
   There are many other references.  These can be found at CVE, U.S. CERT, and SecurityFocus.  Microsoft's advisory uses their standard tone and content ratio, as do all others in their posts.  Therein lies the rub.  Consistent tone makes for difficult severity rating.

   CVE and U.S. CERT list the impact as arbitrary code.  Arbitrary boils down to root (or SYSTEM in this case, as if I need to tell this list).  Microsoft and SecurityFocus differ here.  This tells me that compromising the superuser account has not been seen in the wild, yet. 

   The code is there for compatibility.  Only U.S. CERT mentions that in their advisory.  That bit might be useful to the few folks who still run 16 bit applications.  That every version of Windows is vulnerable should not surprise in that light.  The U.S. CERT advisory examines the vulnerability in the most comprehensive manner.  
   The metric data in the U.S. CERT advisory is most telling.  The RIM issues that preceded it were 2.46, 5.41, and 17.55.  The MSSQL null password rated 33.75.  The MSIE mime type issue associated with the NIMDA worm rated 60.75.  As listed above, the WMF vulnerability sits pretty high at 53.58.  In this respect comparisons are quite valid (http://www.kb.cert.org/vuls/html/fieldhelp).

   Given this issue's disclosure, the details are in flux.  Here then is what we do know.  Vendor input will naturally tend toward the mitigators, but never suggest alternative software.  The vector still involves user action, placing local user control over the so called remote execution exposure. The user action requirement limits the exposure, even if just to the uneducated.  The vendor's recent strengthening of the default NetBIOS settings will mitigate exposure in newer versions, particularly because this vulnerability is related to NetBIOS in common platform only.

   Of course I would be remiss in posting without mentioning the WMF FAQ at http://isc.sans.org/diary.php?storyid=994.  Some quotes from the FAQ with parenthetical notes): 
       "Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well."
       "Virus checkers provide some protection." (or there will be holes in the virus checker's protection)
       "we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful"
       "At least block .WMF images"  (U.S. CERT has the hex strings that trigger the WMF viewer, can you say inline snort?  Rule anyone?)
       "Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY)"  (Hooray!)
   Patch Tuesday is one week away.  If Microsoft does not issue a patch then, I will recommend the "unofficial" patch.  That gives me a week to test it! 

Version: GnuPG v1.4.2 (GNU/Linux)


Bill Scherr, IV  GSEC, GCIA
Jericho, VT

Key fingerprint = 4687 DEB0 E772 B94F 383E  8CB2 F2FC A46D A4A2 DC71
uid Bill Scherr IV <bschnzl at cotse.net>
KID 0xA4A2DC71

More information about the list mailing list