slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
SANS Internet Storm Center WMF workarounds and patches http://isc.sans.org PowerPoint Presentation
Download Presentation
SANS Internet Storm Center WMF workarounds and patches http://isc.sans.org

Loading in 2 Seconds...

play fullscreen
1 / 11

SANS Internet Storm Center WMF workarounds and patches http://isc.sans.org - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on

SANS Internet Storm Center WMF workarounds and patches http://isc.sans.org. Outline. How does WMF work? How does the exploit work? What does the Microsoft recommendation do? What does the unofficial patch do?. About the Internet Storm Center. Cooperative Incidents Response Community

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SANS Internet Storm Center WMF workarounds and patches http://isc.sans.org' - moke


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

SANS Internet Storm Center

WMF workarounds and patches

http://isc.sans.org

outline
Outline
  • How does WMF work?
  • How does the exploit work?
  • What does the Microsoft recommendation do?
  • What does the unofficial patch do?
about the internet storm center
About the Internet Storm Center
  • Cooperative Incidents Response Community
  • Volunteer Operated (about 40 ISC Handlers)
  • vendor neutral
  • operating the largest worldwide sensor network, DShield.org.
  • depending on input from readers and volunteers donating a large part of their holiday weekend.
wmf how it works
WMF: how it works

shimgvw.dll

Application

WMF file

GDI32.DLL

wmf how it works5
WMF: how it works
  • A WMF file finds its way onto a windows machine
  • The application opening the file calls shimgvw.dll
  • Which in turns call GDI32.DLL do to the actual work
wmf exploit
WMF: exploit

shimgvw.dll

exploit

Application

WMF file

GDI32.DLLEscape()

wmf exploit7
WMF: exploit
  • A WMF exploit is an image with a potentially huge payload of exploit code
  • The application will open the file and call shimgvw.dll
  • Which will call GDI32.DLL
  • But the function calls in the image data will cause the Escape() of GDI32.DLL to jump back to the data (now code) in the image itself.
  • From there on it depends on the payload what will happen next …
wmf microsoft unregister
WMF: Microsoft unregister

X

Shimgvw.dll

exploit

Application

WMF file

GDI32.DLLEscape()

Who’s gonna call ?

wmf microsoft s solution
WMF: Microsoft’s solution
  • Microsoft advised to unregister the shimgvw.dll in order to break the chain that leads to the vulnerable Escape() in GDI32.DLL
  • This will work for all applications that follow this path, but
    • Nothing prevents direct calls to GDI32.DLL from being made by other applications
    • Some applications (e.g. mozilla) rely on the functionality provided by shimgvw.dll to do things people use in daily life
    • The library might be registered again by other software
  • Aside of the unregistration, Microsoft also recommends:
    • user awareness, not surfing to “bad” places and all other sorts of generic solutions that are not relevant to this problem.
    • to keep anti-virus signatures up to date, but our tests show that many anti-virus products trigger on the payload if they trigger at all. And the payload of the successful massive attack will be new.
wmf how it works unofficial patch
WMF: how it works: unofficial patch

shimgvw.dll

exploit

Application

UNOFFICIAL PATCH

WMF file

GDI32.DLLEscape()

wmf how it works unofficial patch11
WMF: how it works: unofficial patch
  • The unofficial patch protects the in-memory copy of GDI32.DLL by preventing access to the vulnerable Escape() function.
  • This patch was made by Ilfak Guilfanov.
  • Unofficial patches generally are indeed a bad idea, but:
    • This patch was reviewed and vetted by Tom Liston, handler at the Internet Storm Center.
    • There is no other proper solution till Microsoft fixes things.
    • The bad guys now know the deadline: they have 1 week to come up with the über-payload to infect millions.
  • Do you want to be among the casualties ?
  • Or do you want to be prepared to the best of your abilities?