WMF Exploit Round two…

On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.
The exploit generates files:

  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer

From a number of scans we did through
virustotal, we can safely conclude there is currently no anti-virus
signature working for it. Similarly it is very unlikely any of the
current IDS signatures work for it.

Judging from the source
code, it will likely be difficult to develop very effective signatures
due to the structures of the WMF files.

Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.

this upsets all defenses people have in place we voted to go to yellow
in order to warn the good guys out there they need to review their

From SANS Internet Storm Center.  F-Secure has blogged that the first WMF worm is in the wild.  Here's the post on Full Disclosure:

We just released a new version of the Metasploit Framework exploit module
for the Escape/SetAbortFunc code execution flaw. This module now pads the
Escape() call with random WMF records. You may want to double check your
IDS signatures — most of the ones I saw today could be easily bypassed

or will false positive on valid graphic files.

Available via msfupdate, the 2.5 snapshot, or straight from the web site:


The end of L0phtcrack?

After reading comments on a recent Bruce Schneier blog post, I think that Symantec has pulled the plug on L0phtcrack and the @stake development team.  Time to switch to John the Ripper I guess.

Very fishy.

The @stake/research directories are gone now. In fact I'm not able
to find any info on the corp web site, and the phone-sales people
aren't answering the phone (yet?). At first glance it seems most likley
that a business decision was made to end-of-life the product, which
kind of sucks because I had just told some Windows admins to buy the
thing to test their systems.

Fortunately, I guess, lcsrc.zip is still widely available (as are lc201.exe and lc3setup)…alas, source is good.

Posted by: Davi Ottenheimer

Threats and Countermeasures Guide 2.0

I'm delighted to announce that Microsoft has released updated versions of two of its key security guides: the Threats and Countermeasures Guide 2.0 and the Windows Server 2003 Security Guide 2.0.
Devin and I put in a lot of hours updating these two guides to reflect
updated settings in XP SP2 and Windows Server 2003 SP1, and there's
some very useful new information therein.

From the Exchange Security blog.


I just got word that I passed the CISSP test.  I just have to get my endorsement in and get approved.  Overall, I did it in about a month.  Lots of cramming, but very little of it was new material for me.  It was just making sure I answered the way ISC(2) wanted me to answer it. 
With my new job, this has been a good week.

Workaround for the 0-day WMF exploit

For this WMF exploit: Until Microsoft patches this thing, here is a workaround:

From the command prompt, type REGSVR32 /U SHIMGVW.DLL.

You can also do this by going to Start, Run and then pasting in the above command.

effectively disables your ability to view images using the Windows
picture and fax viewer via IE. This is an old Windows feature that
doesn’t even show up under programs. Not “core” or critical. 

However, it is a preventative measure. If you are already infected, it will not help.

it does is to prevent the WMF file from being opened in the viewer
where the bug is that makes it execute the code in the picture.

Works for IE, should work fine for Firefox users as well.

From SunBelt Blog.

SANS Infocon moved to YELLOW

We are moving to Infocon Yellow for a bit. There has been some debate
among the handlers about this step, but considering that a lot of
people are on holidays and might otherwise miss the WMF 0-day problem,
we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv
. Don't go to any of the URLs visible in the movie unless you know what
you are doing (or feel like spending the next hours reinstalling your

The orignal exploit site (unionseek.com) is no longer up.
But the exploit is being served from various sites all over by now, see
the F-Secure Blog on http://www.f-secure.com/weblog/ for an update on the versions of the exploit found in the wild.

From the SANS Internet Storm Center.