SANS Internet Storm Center WMF workarounds and patches http://isc.sans.org
Outline • How does WMF work? • How does the exploit work? • What does the Microsoft recommendation do? • What does the unofficial patch do?
About the Internet Storm Center • Cooperative Incidents Response Community • Volunteer Operated (about 40 ISC Handlers) • vendor neutral • operating the largest worldwide sensor network, DShield.org. • depending on input from readers and volunteers donating a large part of their holiday weekend.
WMF: how it works shimgvw.dll Application WMF file GDI32.DLL
WMF: how it works • A WMF file finds its way onto a windows machine • The application opening the file calls shimgvw.dll • Which in turns call GDI32.DLL do to the actual work
WMF: exploit shimgvw.dll exploit Application WMF file GDI32.DLLEscape()
WMF: exploit • A WMF exploit is an image with a potentially huge payload of exploit code • The application will open the file and call shimgvw.dll • Which will call GDI32.DLL • But the function calls in the image data will cause the Escape() of GDI32.DLL to jump back to the data (now code) in the image itself. • From there on it depends on the payload what will happen next …
WMF: Microsoft unregister X Shimgvw.dll exploit Application WMF file GDI32.DLLEscape() Who’s gonna call ?
WMF: Microsoft’s solution • Microsoft advised to unregister the shimgvw.dll in order to break the chain that leads to the vulnerable Escape() in GDI32.DLL • This will work for all applications that follow this path, but • Nothing prevents direct calls to GDI32.DLL from being made by other applications • Some applications (e.g. mozilla) rely on the functionality provided by shimgvw.dll to do things people use in daily life • The library might be registered again by other software • Aside of the unregistration, Microsoft also recommends: • user awareness, not surfing to “bad” places and all other sorts of generic solutions that are not relevant to this problem. • to keep anti-virus signatures up to date, but our tests show that many anti-virus products trigger on the payload if they trigger at all. And the payload of the successful massive attack will be new.
WMF: how it works: unofficial patch shimgvw.dll exploit Application UNOFFICIAL PATCH WMF file GDI32.DLLEscape()
WMF: how it works: unofficial patch • The unofficial patch protects the in-memory copy of GDI32.DLL by preventing access to the vulnerable Escape() function. • This patch was made by Ilfak Guilfanov. • Unofficial patches generally are indeed a bad idea, but: • This patch was reviewed and vetted by Tom Liston, handler at the Internet Storm Center. • There is no other proper solution till Microsoft fixes things. • The bad guys now know the deadline: they have 1 week to come up with the über-payload to infect millions. • Do you want to be among the casualties ? • Or do you want to be prepared to the best of your abilities?