Maker Pro
Maker Pro

A Very Dangerous Worm in Windows Metafile Images (WMF)

K

Ken Smith

Jan 1, 1970
0
Richard Henry said:
Bending the topic slightly - the example above demonstrates one of the
problems I have with current coding - the overuse of the '*' symbol. It's
as if the language innovators' keyboards had some non-working keys.

That is one of the advantages of APL. There are 26 letters and about 200
operators.
 
K

Ken Smith

Jan 1, 1970
0
John Devereux said:
No, that would be perl I think you'll find.

No, "intercal" is the one that uses the least letters.

MULTIPLY price BY qty GIVING total.

With C you can do this

#define tra
#define la
#define well
#define we
#define a
#define return

well if (a>1) tra la tra la we give a 3;
 
P

Paul Hovnanian P.E.

Jan 1, 1970
0
Mike said:
To All,

Last night, a very dangerous computer worm was released on the
internet. It is carried on Windows Metafile images and automatically
executes with no user interaction.

[snip]

What do you mean 'last night'? The WMF exploit was recently published,
but it may very well have been in use for months or even years.

Many of these are initially discovered by very skilled programmers who
are employed to do industrial or political espionage. The virii created
tend to work quietly for long periods of time, discretely feeding data
off desktops out through firewalls to competitors or foreign
governments. Later, some script kiddie stumbles across the same security
hole and writes something that clogs up corporate networks, revealing
itself. Or it is discovered by honest IT people who report it.
 
J

Joseph2k

Jan 1, 1970
0
Rich said:
I seem to remember, when the internet was still a gleam in everyone's
eyes, a "dream" of all of the computers being able to execute anything,
and everyone sharing everything, and peace and harmony and parallel
processing and all sorts of grand dreams.

Apparently, it turns out, some people with computers are Not Nice.

So we get executable graphics and worms. And executable documents. Sigh.

The solution is so simple apparently Uncle Billy is overlooking it -
somebody should explain to him that under the GNU GPL, he could download
a free Linux kernel, or even a whole distribution, and set his
codemonkeys the task of writing windows-grade installers and drivers
and eye candy, and sell "Microsoft Linux" for whatever the market will
bear.

Totally legally.

Cheers!
Rich
No, not for whatever the market will bear, but for a minimized distribution
and packaging cost. Moreover MS would be required to publish for free, all
the source code for their contributions. I do not see M$ doing anything
for free.
 
R

Rich Grise

Jan 1, 1970
0
No, not for whatever the market will bear, but for a minimized distribution
and packaging cost.

Nope. It's whatever you can get people to pay for it. There is no
restriction. If I wanted to buy a copy of Slackware from Slackware for
$40.00, and try to sell it to some sucker on the street for $1000.00, all
I have to do is say that the $960.00 is "distribution and packaging cost".

But I seriously doubt anybody on the street would by a used Slackware
CD set for $1000.00 when you can get brand-new, shrink-wrapped CDs for
$40.00, or download the whole thing for free.
Moreover MS would be required to publish for free, all
the source code for their contributions. I do not see M$ doing anything
for free.

Nobody's _ever_ "required" to publish anything original for free, unless
you got it for free. i.e., what you've downloaded, you do have to make
available under the same license. You should read the GNU General Public
License: http://www.gnu.org/copyleft/gpl.html

What it boils down to is, you can download GPL code for free, and modify
it at will, _but those modifications to someone else's work is covered by
the license_, i.e., your modifications must be clearly delineated and
released under the same license.

BUT! If you write your own stuff from scratch, you _are_ allowed to retain
the rights on the stuff that you wrote. You can even keep the source
propietary, if you can get customers to buy unknown binaries. And not only
that, but even if you do release your work on the GPL, the writer
continues to own the copyright.

Cheers!
Rich
 
Rich said:
Nobody's _ever_ "required" to publish anything original for free, unless
you got it for free. i.e., what you've downloaded, you do have to make
available under the same license. You should read the GNU General Public
License: http://www.gnu.org/copyleft/gpl.html

What it boils down to is, you can download GPL code for free, and modify
it at will, _but those modifications to someone else's work is covered by
the license_, i.e., your modifications must be clearly delineated and
released under the same license.

BUT! If you write your own stuff from scratch, you _are_ allowed to retain
the rights on the stuff that you wrote. You can even keep the source
propietary, if you can get customers to buy unknown binaries. And not only
that, but even if you do release your work on the GPL, the writer
continues to own the copyright.

As I understand it, the jury is still out on the details of this one.

There are issues of the viral nature of GPL. It has been indicated
that for kernel space components, you're work inherits the GPL
licence merely by using the interfaces to GPL components. That
is due (in part at least) to the fact that you must have used the
GPL work to even learn what the interfaces are. (I probably can't
fairly express their reasoning as I don't agree with it).

Linux has indicated that he believes that pre-existing drivers, when
ported to Linux, do not fall under GPL even if they use some Linux
interfaces. Alan Cox says Linus is incorrect.

Regards,
Steve
 
F

Frank Bemelman

Jan 1, 1970
0
No, not for whatever the market will bear, but for a minimized distribution
and packaging cost. Moreover MS would be required to publish for free, all
the source code for their contributions. I do not see M$ doing anything
for free.

BTW, what happened to that very dangerous worm... I've been waiting
for that internet melt down, but nothing happened here.

What is the bottom line?
 
W

Winfield Hill

Jan 1, 1970
0
Frank Bemelman wrote...
BTW, what happened to that very dangerous worm... I've been
waiting for that internet melt down, but nothing happened here.

It wasn't a worm. The exploit's purpose was to quietly take
over individual computers, in the sense that you'd not know
your computer is running a process that allows the new remote
owner to send it a command making it do things like send an
email, etc. Or worse. Compromised computers are bundled up
and sold in batches of 50 to 100, etc., for considerable cash.
Ahem, one imagines each computer gets sold multiple times,
unless there's honor among thieves!?
What is the bottom line?

Ww wait for the other shoe to drop.

Steve Gibson* thinks "the WMF vulnerability in Windows was
neither a bug, nor a feature designed without security in
mind, but was actually an intentionally placed backdoor."
Read the transcript or listen to the half-hour podcast,
http://www.grc.com/sn/SN-022.htm

"what Windows did when it encountered this Escape function,
followed by the SETABORTPROC metafile record, was it jumped
immediately to the next byte of code and began to execute it.
That is, it was no longer interpreting my metafile records
record by record, which is the way metafiles are supposed to
be processed. You don't actually execute the metafile. As we
said before last week, and I think the week before, it's sort
of a script. It's a script of Windows graphics calls that allow
you to specify, you know, draw a rectangle from here to here,
draw a line from there to there. And it's in a nice sort of
device-independent fashion. So you don't run the code in the
metafile. But what Windows did when it encountered this
particular nonsensical sequence was to start executing the
next byte of code in the metafile." [...]

"So what I found was that, when I deliberately lied about the
size of this record and set the size to one and no other value,
and I gave this particular byte sequence that makes no sense
for a metafile, then Windows created a thread and jumped into
my code, began executing my code. Okay, Leo? This was not a
mistake. This is not buggy code. This was put into Windows
by someone."

* Gibson Research Corporation, http://www.grc.com/default.htm
 
F

Frank Bemelman

Jan 1, 1970
0
Winfield Hill said:
Frank Bemelman wrote...

It wasn't a worm. The exploit's purpose was to quietly take
over individual computers, in the sense that you'd not know
your computer is running a process that allows the new remote
owner to send it a command making it do things like send an
email, etc. Or worse. Compromised computers are bundled up
and sold in batches of 50 to 100, etc., for considerable cash.
Ahem, one imagines each computer gets sold multiple times,
unless there's honor among thieves!?

No doubt, but there is a limited market. Nobody wants to compromise
every computer on the internet. That means that it is not a problem,
similar to the concern that somebody might break into your house is
not a problem. Okay, you lock your doors, to some extent, but that
*is* sufficient.

[snip]
my code, began executing my code. Okay, Leo? This was not a
mistake. This is not buggy code. This was put into Windows
by someone."

Steve Gibson's text, he has some talent for adding a bit of drama.
I'm surprised that it nobody discovered this WMF defect sooner.
 
R

Rich Grise

Jan 1, 1970
0
Frank Bemelman wrote...
BTW, what happened to that very dangerous worm... I've been
waiting for that internet melt down, but nothing happened here.

It wasn't a worm. The exploit's purpose was to quietly take
over individual computers, in the sense that you'd not know
your computer is running a process that allows the new remote
owner to send it a command making it do things like send an
email, etc. Or worse. Compromised computers are bundled up
and sold in batches of 50 to 100, etc., for considerable cash.
Ahem, one imagines each computer gets sold multiple times,
unless there's honor among thieves!?
What is the bottom line?

Ww wait for the other shoe to drop.

Steve Gibson* thinks "the WMF vulnerability in Windows was
neither a bug, nor a feature designed without security in
mind, but was actually an intentionally placed backdoor."
Read the transcript or listen to the half-hour podcast,
http://www.grc.com/sn/SN-022.htm

"what Windows did when it encountered this Escape function,
followed by the SETABORTPROC metafile record, was it jumped
immediately to the next byte of code and began to execute it.
That is, it was no longer interpreting my metafile records
record by record, which is the way metafiles are supposed to
be processed. You don't actually execute the metafile. As we
said before last week, and I think the week before, it's sort
of a script. It's a script of Windows graphics calls that allow
you to specify, you know, draw a rectangle from here to here,
draw a line from there to there. And it's in a nice sort of
device-independent fashion. So you don't run the code in the
metafile. But what Windows did when it encountered this
particular nonsensical sequence was to start executing the
next byte of code in the metafile." [...]

"So what I found was that, when I deliberately lied about the
size of this record and set the size to one and no other value,
and I gave this particular byte sequence that makes no sense
for a metafile, then Windows created a thread and jumped into
my code, began executing my code. Okay, Leo? This was not a
mistake. This is not buggy code. This was put into Windows
by someone."

* Gibson Research Corporation, http://www.grc.com/default.htm

This is fascinating. So, we could fix them all, by generating
a WMF file, where when it goes to execute the file, it finds a
HLT instruction. ;-)

I used to be a Hacker, before the sheeple co-opted that term and
started applying it to "thieves" and "pirates" and whatever you
call those scriptkiddies that write viri and worms and adware
and crap. "Hacker" used to be a badge of honor! What''s happened
with the world, oh me, oh my!

Cheers!
Rich
 
Z

Zak

Jan 1, 1970
0
There are issues of the viral nature of GPL. It has been indicated
that for kernel space components, you're work inherits the GPL
licence merely by using the interfaces to GPL components.

In the original GPL the issue was linking and the use of the same
address space.

The other side of the coin was using a standard interface and the
component being replaceable, thus forming a bundle.
That
is due (in part at least) to the fact that you must have used the
GPL work to even learn what the interfaces are. (I probably can't
fairly express their reasoning as I don't agree with it).

I think the issue is that the driver and the kernel make a single program.

FWIW making the driver GPL does not mean you lose the copyrights; you
can still use the driver elsewhere and sell it, perhaps even in an
expanded version.

And what some people are considering: create a very thin driver and make
that GPL, which exports a documented interface. And do the clever work
in user space.


Thomas
 
D

Derek Potter

Jan 1, 1970
0
Nobody's _ever_ "required" to publish anything original for free, unless
you got it for free. i.e., what you've downloaded, you do have to make
available under the same license. You should read the GNU General Public
License: http://www.gnu.org/copyleft/gpl.html

What a nightmare scenario! "Written for Microsoft Linux". I need a
drink.
 
W

Winfield Hill

Jan 1, 1970
0
Winfield Hill wrote...
Frank Bemelman wrote...
BTW, what happened to that very dangerous worm... I've been
waiting for that internet melt down, but nothing happened here.

It wasn't a worm. The exploit's purpose was to quietly take
over individual computers, in the sense that you'd not know
your computer is running a process that allows the new remote
owner to send it a command making it do things like send an
email, etc. Or worse. Compromised computers are bundled up
and sold in batches of 50 to 100, etc., for considerable cash.
Ahem, one imagines each computer gets sold multiple times,
unless there's honor among thieves!?
What is the bottom line?

Ww wait for the other shoe to drop.

Steve Gibson* thinks "the WMF vulnerability in Windows was
neither a bug, nor a feature designed without security in
mind, but was actually an intentionally placed backdoor."
Read the transcript or listen to the half-hour podcast,
http://www.grc.com/sn/SN-022.htm

"what Windows did when it encountered this Escape function,
followed by the SETABORTPROC metafile record, was it jumped
immediately to the next byte of code and began to execute it.
That is, it was no longer interpreting my metafile records
record by record, which is the way metafiles are supposed to
be processed. You don't actually execute the metafile. As we
said before last week, and I think the week before, it's sort
of a script. It's a script of Windows graphics calls that allow
you to specify, you know, draw a rectangle from here to here,
draw a line from there to there. And it's in a nice sort of
device-independent fashion. So you don't run the code in the
metafile. But what Windows did when it encountered this
particular nonsensical sequence was to start executing the
next byte of code in the metafile." [...]

"So what I found was that, when I deliberately lied about the
size of this record and set the size to one and no other value,
and I gave this particular byte sequence that makes no sense
for a metafile, then Windows created a thread and jumped into
my code, began executing my code. Okay, Leo? This was not a
mistake. This is not buggy code. This was put into Windows
by someone."

* Gibson Research Corporation, http://www.grc.com/default.htm

Microsoft begs to differ.
http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx

"Now, there’s been some speculation that you can only trigger this by
using an incorrect size in your metafile record and that this trigger
was somehow intentional. That speculation is wrong on both counts.
The vulnerability can be triggered with correct or incorrect size values.
If you are seeing that you can only trigger it with an incorrect value,
it's probably because your SetAbortProc record is the last record in the
metafile. The way this functionality works is by registering the callback
to be called after the next metafile record is played. If the SetAbortProc
record is the last record in the metafile, it will be more difficult to
trigger the vulnerability."

OK... Now we wait for Steve Gibson's response.
 
Top