Alternate WMF vulnerability patch for WinNT,2000,XP, 2003 systems

  • Thread starter Thread starter Ian Kenefick
  • Start date Start date
I

Ian Kenefick

Quote NOD32 Switzerland

"Paolo Monti has released a temporary patch for the WMF vulnerability
( see Microsoft Security Bulletin 912840 ). This patch intercepts the
Escape GDI32 API in order to filter the SETABORTPROC (function number
9). It uses dynamic API hooks avoiding patching/modifying of the GDI32
code. Advantages of this approach: fully dynamic - no reboot is
required.
This patch also works on Windows 9x/ME. Administrator rights are
required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided
INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs,
select "GDI32 - WMF Patch" and remove it."

You can get it here http://www.nod32.ch/en/download/tools.php
 
Quote NOD32 Switzerland

"Paolo Monti has released a temporary patch for the WMF vulnerability
( see Microsoft Security Bulletin 912840 ). This patch intercepts the
Escape GDI32 API in order to filter the SETABORTPROC (function number
9). It uses dynamic API hooks avoiding patching/modifying of the GDI32
code. Advantages of this approach: fully dynamic - no reboot is
required.
This patch also works on Windows 9x/ME. Administrator rights are
required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided
INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs,
select "GDI32 - WMF Patch" and remove it."

You can get it here http://www.nod32.ch/en/download/tools.php
Click to expand...

OOOOPS!!

The patch also works on Win9x platform.
 
Ian Kenefick - 04.01.2006 21:43 :
Quote NOD32 Switzerland

"Paolo Monti has released a temporary patch for the WMF vulnerability
( see Microsoft Security Bulletin 912840 ). This patch intercepts the
Escape GDI32 API in order to filter the SETABORTPROC (function number
9). It uses dynamic API hooks avoiding patching/modifying of the GDI32
code. Advantages of this approach: fully dynamic - no reboot is
required.
This patch also works on Windows 9x/ME. Administrator rights are
required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided
INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs,
select "GDI32 - WMF Patch" and remove it."

You can get it here http://www.nod32.ch/en/download/tools.php
Click to expand...

what is the better interim-solution of "GDI32 - WMF Patch" compared with
"wmffix_hexblog14.exe"/"wmffix_hexblog13.exe"?

"wmffix_hexblog14.exe" seems to have the advantage not to be installed?
 
what is the better interim-solution of "GDI32 - WMF Patch" compared with
"wmffix_hexblog14.exe"/"wmffix_hexblog13.exe"?

"wmffix_hexblog14.exe" seems to have the advantage not to be installed?
Click to expand...

No reboot required and works on Win9x. This is all really AFAIK. As
ART has already mentioend though... Ilfak's one has been recognised.
There is no need to switch over to ESET's one unless you plan on
deploying the patch to 100's of computers or you run Win9x.
 
LOL! That should drive Virus Guy absolutely nuts! :)
He'll no doubt try to assasinate the author of such
blasphemy, so Paolo had better watch out!
Click to expand...

ha ha - I know it already existed in the original text from ESET... I
felt I needed to highlight it though.

IT WORKS ON WIN9X :)
 
IT WORKS ON WIN9X :)
Click to expand...

You know, that's really lame.

I mean, ok, sure, you install a helper who's only purpose is to
intercept a handfull of calls to GDI32. Sure, such a mechanism will
work on 9X. Doesn't mean that it will ever get used, even if the
computer it's installed is exposed to dozens of problem wmf files (and
I know it doesn't matter if the file has a wmf extension on it or
not).

Again, it has yet to be shown by anyone how a typical installation (or
any installation) of Win-98 attains the ability to know what to do
with a wmf file.

But I'll throw you guys a bone.

Microsoft Photodraw turns out to be the program that is registered to
handle wmf files on Win-98 machines if you went whole-hog and
installed the whole Office-2000 shooting match.

(at least I think it's part of Office 2000. If not, then it must have
come from MSDN).

Anyways, I don't think there's enough integration between IE and
Photodraw that would result in WMF rendering within a browser process.

By the way - GDI32 having a problem or vulnerability doesn't by itself
mean that a Win-98 PC is vulnerable. It also needs an associated
process that is called to handle and disect the wmf file (or what-ever
it's fake extension is) and perform the vulnerable call to GDI32.

You people don't seem to realize that Win-98 has no native handler for
wmf files.
 
You know, that's really lame.

I mean, ok, sure, you install a helper who's only purpose is to
intercept a handfull of calls to GDI32. Sure, such a mechanism will
work on 9X. Doesn't mean that it will ever get used, even if the
computer it's installed is exposed to dozens of problem wmf files (and
I know it doesn't matter if the file has a wmf extension on it or
not).

Again, it has yet to be shown by anyone how a typical installation (or
any installation) of Win-98 attains the ability to know what to do
with a wmf file.
Click to expand...

So contact Paolo then and ask him why he wasted his time with Win 9X.
And ask MS when they finally release a patch (presumably) for 98.
I could mention several other expert sources as well whom you believe
are deluded and totally mistaken. But I know it won't do any good :)
It's a shame, since you (and the rest of us) might actually learn
something in the process.

Art

http://home.epix.net/~artnpeg
 
Art said:
So contact Paolo then and ask him why he wasted his time with
Win 9X.
Click to expand...

I'd like to ask him why it takes a 1 mb file to perform this
function. I'd like to ask why was his fix packed inside a
self-installer that I can't unpack for myself.

And how do we know he "wasted" his time with Win-98? How do we know
there are different versions of the interceptor buried inside
"install.exe" or if a single file works across 9X/NT platforms?
 
I'd like to ask him why it takes a 1 mb file to perform this
function. I'd like to ask why was his fix packed inside a
self-installer that I can't unpack for myself.

And how do we know he "wasted" his time with Win-98? How do we know
there are different versions of the interceptor buried inside
"install.exe" or if a single file works across 9X/NT platforms?
Click to expand...

Why not ask him the real question at hand? Why does Win 98 require
a fix? That's what you wanted to know, wasn't it?

Art

http://home.epix.net/~artnpeg
 
Art said:
Why not ask him the real question at hand? Why does Win
98 require a fix? That's what you wanted to know, wasn't it?
Click to expand...

Ok. Too many suppositions here.

Some guy names Paolo comes out with an installable "service" that
intercepts the problematic calls to GDI32. We _learn_ that the
"service" is compatible with Win-98 (although it was more than likely
written with Win-NT-5.x in mind)

What we don't know is

1) Did Paolo craft a special Win-98 compatible version of this
service? or

2) Did Paolo craft a single version of this service, and it just
happens to be Win-98 compatible?

If (1) or (2) is true, then we still don't know if Win-98 ->needs<-
the service. Just because Paolo did (or did not) take special care to
make the service compatible with Win-98 doesn't mean he has some
special knowledge that Win-98 ->needed<- the service.

The task at hand was to write a GDI32 call interceptor. Knowing if
Win-98 was vulnerable to the call was not a pre-requisite to writing
the interceptor.
 
I'm not a programmer-type under-the-hood Windows expert
but I've tended many Windows boxes since Windows 3.0
in small office environments.

I've been following the discussions on whether Win98
is vulnerable to the recent WMF exploits and just for
fun did a bit of impromptu fooling around with the
"browsercheck.wmf" file found at:
http://www.heise.de/security/dienste/browsercheck/demos/ie/wmf.shtml

It doesn't seem to do anything to my Win98 machine.
Seems to me this is because of the lack of WMF file
associations on my machine.

Note that my tests were done with VirusScan
DAT 4663 which does NOT see Bloodhound.Exploit.56.

I offer the results of what I found for
what it may be worth. I like Win98 because the
bad guys tend to prefer to play with the latest
MS OSs and McAfee could always be relied upon to
make up the difference. I can't tell you how many
of my friends, acquaintances, and co-workers have
had their later OS home machines trashed, but then
again I know a lot of people who are clueless; all
the more reason I kept the boxes I had responsibility
over an OS or two behind the times. I hope recent
events don't put a spotlight on 98 and inspire
the creations of "retro-viruses" so to speak.

My system specs:
===
Windows98SE 4.10.2222A
Office2000
Word2000 (9.0.2720)
Outlook Express 5 (5.50.4133.2400)
Internet Explorer 6.0.2600.0000IS
Firefox 1.0.7
Image Eye 7.1 (default image viewer)
DataViz Conversions Plus 4
McAfee VirusScan Home Edition 7.00.5000.0
(DAT 4.0.4663 12/30/05)


Results:
===

doubleclicking on browsercheck.wmf
results in Conversions Plus opening
identifying file as a dbII file and asking
for input on how to open or convert;
viewing or attempting conversion fails
without incident or it asks for a program
to open it with because there are no
associations and you can just cancel.

doubleclicking on
browsercheck.wmf renamed to browsercheck.jpg
results in Image Eye viewer attempt to open
which fails - unknown format

===

browsercheck.wmf sent as attachment to Outlook
intercepted by Earthlink and stripped
indentified as Bloodhound.Exploit.56
I couldn't get around this, so I can't say what
Outlook would do if it actually got the attachment,
however...

browsercheck.wmf renamed to browsercheck.jpg
sent as attachment to Outlook
NOT intercepted by Earthlink
displayed as broken icon in Outlook viewer pane
attempt to open it identifies file as
c:\windows\Temporary Internet Files\Content.IE5\
XXXXXXX\browsercheck.wmf
"This file does not have a program associated
with it for performing this action. Create an
association in My Computer by clicking Views
and then clicking Folder Options"

===

browsercheck.wmf dropped into Word
results in clickable icon
doubleclicking results in embedded object warning
doubleclicking again identifies file as
c:\windows\temp\pkge0e1.wmf
"This file does not have a program associated
with it for performing this action. Create an
association in My Computer by clicking Views
and then clicking Folder Options"; clicking OK
yields: "No Application is associated with this file"

browsercheck.wmf renamed to browsercheck.jpg
dropped into Word
results in clickable icon
doubleclicking results in embedded object warning
doubleclicking again results in Image Eye viewer fails
- unknown format

===

browsercheck.wmf dropped into Internet Explorer
results in download warning;
telling it to open the file results in
Conversions Plus dialogue box due to lack
of file association


browsercheck.wmf renamed to browsercheck.jpg
dropped into Internet Explorer
results in broken icon

===

browsercheck.wmf dropped into Firefox
results in download warning
telling it to open the file results in
repeated download warnings

browsercheck.wmf renamed to browsercheck.jpg
dropped into Firefox results in display error

===

Attempting to import browsercheck.wmf or
browsercheck.wmf renamed to browsercheck.jpg
into Word Clipart fails without problems

===
 
Ian Kenefick - 04.01.2006 22:52 :
No reboot required and works on Win9x. This is all really AFAIK. As
ART has already mentioend though... Ilfak's one has been recognised.
There is no need to switch over to ESET's one unless you plan on
deploying the patch to 100's of computers or you run Win9x.
Click to expand...

Ian, THX for feedback!

BTW: Have a look at your SIG delimiter where a space is missing after
the 2 dashes. Should be "-- " (DashDashSpace) - without the "".
Otherwise your SIG will be quoted nearly all the time as you can see above.
 
BTW: Have a look at your SIG delimiter where a space is missing after
the 2 dashes. Should be "-- " (DashDashSpace) - without the "".
Click to expand...

Oops - just fixed it. Tnx.
 
Bronx said:
"browsercheck.wmf" file

It doesn't seem to do anything to my Win98 machine.
Seems to me this is because of the lack of WMF file
associations on my machine.
Click to expand...

I just tried to open that file, as well as "test.wmf" (from the
Internet Storm Center). Both are supposed to start the calculator on
a vulnerable system.

http://sipr.net/test.wmf

I tried to open those wmf files using Microsoft ClipArt Gallery 5.0
(Artgalry.exe). (using CCTASK I see that GDI32.DLL is linked to
Artgalry.exe). In both cases, I get the message:

"Clip Gallery could not create a preview image for (file.wmf) using
the installed graphics import filter or media player for that type.
The file may be corrupted or incompatible with the filter..."

Both of those test files open normally in Coreldraw - both seem to
consist of a bunch of random-sized and random-placed rectangles (75 of
them for test.wmf).

When attempting to view those test files under XP - does XP show or
render the files (along with spawning the calculator) - ? Does XP
indicate that the file is mal-formed in any way?

It's still not clear to me if a mal-formed wmf file is supposed to
lead to an instability within GDI32 that (along with executing the
exploit) would lead to a crash of either GDI32 or the process that
called it. If ->something<- is supposed to crash or become unstable
as part of the execution of the vulnerability, then it obviously ain't
happening on my Win-98 system.

An alternative explanation is that these test WMF files have been
designed so that they do not lead to a component crash - or perhaps
they cause a "controlled crash" or exit.
 
Virus Guy wrote:
[snip]
It's still not clear to me if a mal-formed wmf file is supposed to
lead to an instability within GDI32 that (along with executing the
exploit) would lead to a crash of either GDI32 or the process that
called it. If ->something<- is supposed to crash or become unstable
as part of the execution of the vulnerability, then it obviously ain't
happening on my Win-98 system.
Click to expand...

it has nothing to do with a crash or causing instability... setabortproc
tells the computer what to execute in the event that rendering the wmf
file is aborted or fails... the malformed bit then causes the
aforementioned failure...
 
Back
Top