Vulnerabilities in Graphics Rendering Engine May Still Exist Even After Applying the MS05-053 (KB896424) Security Update
As you have probably read in this blog, I go out into the dark side of the World Wide Web looking for exploits in the wild, and demonstrating how least privilege can save you.
While surfing around in Windows XP SP2 that is fully patched through 12/13/2005, I was almost sure that I was safe even in an administrator account. Turns out, I was wrong. Next thing I know, files are launching and the faux spyware message shows up in the tray, my background is changed, and Task Manager is disabled.
When I traced the files executing the code, it had come to mind that files with those particular extensions were supposed to have been harmless. They were Windows Metafiles going by the name xpl.wmf and xpladv470.wmf. Something was amiss, I know I had installed KB896424 [microsoft.com] to prevent Windows Metafiles from excuting code. According to Microsoft:
A remote code execution vulnerability exists in the rendering of Windows Metafile (WMF) image format that could allow remote code execution on an affected system. Any program that renders WMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Apprently, code is still allowed to execute whether I 1) visited a webpage containing the exploit, 2) the file is previewed in Explorer, or 3) by simply executing it in Windows.
I have confirmed the following that remain vulnerable:
* Windows XP SP2 with all updates through 12/13/2005 including KB896424
* Windows XP SP2 with KB896424
* Windows Server 2003 Sp1 with all updates through 12/13/2005 including KB896424
Windows XP SP2 Fully Updated:
Windows Server 2003 SP1 Fully Updated:
It appears to only run with the same privileges as the user. So if you are a restricted user, you don't have anything to worry about if this gets executed. It will simply die from lack of privileges.
12/28/2005 Update: Temporary Workaround and More Information
According to Security Focus:
Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine.
However, according to the many different samples and websites I have tried, the code does not execute as SYSTEM even as a limited user. Who is right? I don't know, but for now I say I am. During any code execution of the metafiles, shimgvw.dll, the Windows Picture and Fax Viewer, is only loaded in explorer.exe. Explorer.exe has the same privileges as the user. It is unable to do any damage when executed in the limited user account.
You can stop code from being executed by disabling the Windows Picture and Fax Viewer:
1) Go to Start, and Run
2) Type the following command, pressing enter afterwards: regsvr32 shimgvw.dll /u
You must be admin.
3) Restarting is not required. The files are rendered harmless right away. However if you want to be thorough, you can.
The only trade off is that you will not be able to preview thumbnails in explorer.
Another Update: Microsoft Releases Security Advisory
Microsoft has released a Security Advisory. It confirms what I knew all along:
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
While surfing around in Windows XP SP2 that is fully patched through 12/13/2005, I was almost sure that I was safe even in an administrator account. Turns out, I was wrong. Next thing I know, files are launching and the faux spyware message shows up in the tray, my background is changed, and Task Manager is disabled.
When I traced the files executing the code, it had come to mind that files with those particular extensions were supposed to have been harmless. They were Windows Metafiles going by the name xpl.wmf and xpladv470.wmf. Something was amiss, I know I had installed KB896424 [microsoft.com] to prevent Windows Metafiles from excuting code. According to Microsoft:
A remote code execution vulnerability exists in the rendering of Windows Metafile (WMF) image format that could allow remote code execution on an affected system. Any program that renders WMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Apprently, code is still allowed to execute whether I 1) visited a webpage containing the exploit, 2) the file is previewed in Explorer, or 3) by simply executing it in Windows.
I have confirmed the following that remain vulnerable:
* Windows XP SP2 with all updates through 12/13/2005 including KB896424
* Windows XP SP2 with KB896424
* Windows Server 2003 Sp1 with all updates through 12/13/2005 including KB896424
Windows XP SP2 Fully Updated:
Windows Server 2003 SP1 Fully Updated:
It appears to only run with the same privileges as the user. So if you are a restricted user, you don't have anything to worry about if this gets executed. It will simply die from lack of privileges.
12/28/2005 Update: Temporary Workaround and More Information
According to Security Focus:
Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine.
However, according to the many different samples and websites I have tried, the code does not execute as SYSTEM even as a limited user. Who is right? I don't know, but for now I say I am. During any code execution of the metafiles, shimgvw.dll, the Windows Picture and Fax Viewer, is only loaded in explorer.exe. Explorer.exe has the same privileges as the user. It is unable to do any damage when executed in the limited user account.
You can stop code from being executed by disabling the Windows Picture and Fax Viewer:
1) Go to Start, and Run
2) Type the following command, pressing enter afterwards: regsvr32 shimgvw.dll /u
You must be admin.
3) Restarting is not required. The files are rendered harmless right away. However if you want to be thorough, you can.
The only trade off is that you will not be able to preview thumbnails in explorer.
Another Update: Microsoft Releases Security Advisory
Microsoft has released a Security Advisory. It confirms what I knew all along:
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
posted by Info Programing at
11:48 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home