Within the last few days an exploit has been released to take advantage of a vulnerability in the way Windows systems handle Windows Metafile (WMF) images. A WMF image is a 16-bit metafile format that can contain both vector information and bitmap information. The vector data stored in WMF files is described as Microsoft Windows Graphics Device Interface (GDI) commands. In the Window environment these commands are interpreted and played back on an output device using the Windows API PlayMetaFile() function. Bitmap data stored in a WMF file may be stored in the form of a Microsoft Device Dependent Bitmap (DDB), or Device Independent Bitmap (DIB). WMF files are optimized for the Windows operating system. By exploiting a vulnerability created by a GDI function, an attacker can cause the CPU utilization to go to 100%, install spyware on a system, or take control of a system.
WMF files contain a sequence of Graphic Display Interface (GDI) function calls. One of the available GDI functions is the GDI Escape function, which enables applications to access capabilities of a particular device not directly available through GDI. A GDI Escape function call made by an application is translated and sent to the driver for the device. One GDI escape function, SetAbortProc, is intended to be used to set the application-defined abort function that allows a print job to be canceled during spooling. Exploits released for this vulnerability are using this function instead as a method of attacking Windows-based systems.
The current exploits for this vulnerability use SHIMGVW.DLL, which is a Dynamic Link Library (DLL) file used by Windows Picture and Fax Viewer, as an attack vector. However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows GDI DLL file, GDI32.DLL. You can find these files in %WINDIR%\system32 and %WINDIR%\system32\dllcache. The %WINDIR% variable will likely equate to c:\windows or c:\winnt on your system. These files are a normal part of a Windows operating system distribution.
This vulnerability can be exploited by sending an infected WMF file to someone by email or by an infected WMF posted on a website that a user may visit. If the user is logged on with a limited user account the exploit will do little harm to the system. If the user is logged on with an account with adminsitrator privileges when the infected file is encountered, then the code in the infected file executes with full system privileges, potentially giving an attacker full control of the system. This is why normal user activities on a system should not be routinely conducted from an administrator account. Some users may want to have the account they normally use in the administrator group, so that they can easily do anything they want from that account. That convenience makes a system much more vulnerable to compromise not just from this exploit, but from any virus, trojan, spyware, etc.
Just blocking all WMF files isn't sufficient to protect a system from this vulnerability as Microsoft states the following in Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
If I block .wmf files by extension, can this protect me against attempts to exploit this vulnerability?
No. Because the Graphics Rendering Engine determines file type by means other than just looking at the file extensions, it is possible for WMF files with changed extensions to still be rendered in a way that could exploit the vulnerability.
An attacker could use a file with an extension of BMP, DIB, GIF, EMF, JFIF, JPE, JPEG, JPG, PNG, TIF, TIFF, or WMF, which are also filetypes that are normally associated with the Windows Picture and Fax Viewer, that is really a WMF file. The system will look at the contents of the file rather than rely solely on the extension to determine if it is a WMF file. If the contents of the file begin with any of the following, then the system will interpret it as a WMF file:
Unfortunately, if you have an infected file on your hard disk and your system isconfigured to display thumbnails automatically, your system can become infected.
Your system may possibly also be infected if you use Google Desktop Search (GDS), which is Google's desktop indexing software, Microsoft's MSN Desktop Search or other file indexing software. Google's indexing utility automatically indexes the metadata of images, including WMF files, in real-time. It does so by issuing an API call to shimgvw.dll to extract the metadata from the file. If it encounters an infected file, then the exploit is invoked and the system becomes infected.
Microsoft's MSN indexing utility may also be vulnerable. In Microsoft Security Advisory (912840), Microsoft states the following in the FAQ section:
It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?
We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.
Microsoft confirms that this is a separate issue from "Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)".
Microsoft's advisory states that as of December 30, the following antivirus vendors have updated software to address this vulnerablity:
Computer Associates (CA) has labelled files containing this exploit as Win32/Worfo. The virus definitions required for various versions of CA's eTrust Antivirus and EZ Antivirus are listed at CA's Win32/Worfo webpage.
Symantec, the developer of Norton AntiVirus and Symantec AntiVirus Corporate Edition, has labeled exploits of this vulnerability as Bloodhound.Exploit.56. Symantec states "the Bloodhound.Exploit.56 detection was updated as of the December 30th, 2005 LiveUpdate definitions."
An exploit (ie_xp_pfv_metafile.pm revision 1.6) has been released for the Metasploit Framework. The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code, which can be used for penetration testing and vulnerability research.
You can find sample hex code at Explorer.exe WMF Parsing Causes a DoS that can be used to create a WMF file that will cause a system to use 100% of the available CPU time.
Created: Monday January 9, 2006