WMF Vulnerability is an Intentional Backdoor? 788
An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.
Another? (Score:2, Interesting)
Rootkit (Score:2, Interesting)
I would not be suprised at all. (Score:5, Interesting)
Its happened before and it will happen again. Whether this is the case remains to be seen.
Government backdoor? (Score:5, Interesting)
If this isn't a glaring example on why you should support open source, I don't know what is....
Unparalleled BS from MS. (Score:2, Interesting)
From TFA: You mean user action like...say...opening a web browser?
Anyway, this is freaky interesting, because if this is actually true, it's pure, unvarnished evil. I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.
Steve makes an excellent case with his diagnosis, but I'd love to see his findings verified by a few other agencies. This is too important to leave to one researcher.
I, for one, am going to be following this story avidly. Any bets on when M$ issues a statement that a 'rogue programmer' put this code in, and disaavow any knowledge or responsibility?
do you mean (Score:4, Interesting)
This Steve Gibson [grcsucks.com] ?, yeah he is a real security expert, along with his podcast boy wonder we have much to be afraid of
Re:Rootkit (Score:2, Interesting)
Possible uses? (Score:4, Interesting)
Bugs don't have to be well-coded (Score:3, Interesting)
Lawsuit time (Score:5, Interesting)
It's possible to get to the bottom of this by legal means.
Based on that information (Score:3, Interesting)
Magic Lantern? (Score:5, Interesting)
The notion of a backdoor in Windows isn't new. Perhaps the WMF vulnerability was one of the vectors used by Magic Lantern [wired.com], which was the code word for at least one of the FBI's keylogger programs. Magic Lantern was notable in that antivirus providers participated with the Feebs in a gentleman's agreement to not look for it.
It's certainly a dumb enough solution that the IT-challenged FBI might go for it.
On relative dumbness and smartness, I'd expect smart spies, namely those who work for two other notable three-letter-agencies, to use somewhat more interesting techniques. If it were me, I'd take advantage of equipment I had in place at critical infrastructure points to conduct MITM attacks between a PC and Windows Update servers, in order to transparently install my spookware on only those machines that specifically identify themselves - by means of GUID or whatever other stuff I could glean from the Windows Genuine Advantage and other DRM-related bitstreams - as belonging to my target population.
Paranoid? If you're not paranoid, you're not thinking far enough ahead.
Re:Possible uses? (Score:2, Interesting)
Looking for people who have bad things to say about the gov't on their computer? You don't necessarily know where they are.
And let your imagination continue the list
What about wine? (Score:3, Interesting)
http://it.slashdot.org/article.pl?sid=06/01/06/20
Re:Government backdoor? (Score:5, Interesting)
The function in question has existed for a long time. The exploit is in Windows 2000 and more recent. From the transcript:
Re:Possible uses? (Score:5, Interesting)
Re:Length==1 (Score:5, Interesting)
But I still have a hard time seeing how code would *accidentally* behave like this. An invalid length should abort processing right off the bad, for one thing; "falling through" might be an explanation, but what possible code could be "fallen through" into that would set CPU execution *inside* the metafile -- moreover, would set CPU execution to the *next byte* after the erroneous header block. That's awfully convenient; if it were a mistake, I'd expect code execution to begin at some other random location, probably influenced by whatever happened to be in the register or some temporary pointer variable at the time. But the very next byte? That's too insanely convenient -- you get to provide your key *and* your payload in the *same* place.
You could argue that buffer overrun exploits do the same thing, but the idea of the buffer overflow is to specifically overwrite the function-return pointer to *make* it point at your code. In this case, the exploit doesn't have to specify the location of the code to execute, Windows does that for you. Too convenient.
Re:Government backdoor? (Score:-1, Interesting)
Re:Length==1 (Score:4, Interesting)
"Never ascribe to malice that which is adequately explained by incompetence."
Re:I would not be suprised at all. (Score:2, Interesting)
Re:Steve Gibson is a crackpot (Score:5, Interesting)
I'm going to post my hierarchy of vulnerabilities. (Score:3, Interesting)
1. Remote--root access that does NOT require human intervention or other app running.
2. Remote non-root access that does NOT require human intervention or other app running.
3. Local root access that does NOT require human intervention or other app running.
4. Local non-root access that does NOT require human intervention or other app running.
5. Remote root access that requires some human interaction or some combination of apps.
6. Remote non-root access that requires some human interaction or some combination of apps.
7. Local root access that requires some human interaction or some combination of apps.
8. Local non-root access that requires some human interaction or some combination of apps.
9. Remote OS crash.
10. Remote app crash.
11. Local OS crash.
12. Local app crash.
So, Microsoft's criteria would be equivalent to #1 here. And I agree that it is "critical". It is the WORST possible vulnerability. Which is why I listed it as #1.
But #2 is only slightly less devastating. And if you combine #2 with #3, you'll have the equivalent of #1.
Therefore, ANY remote attack that gives you ANY user level or above access should be "critical".
But who really cares what name you assign them? "Critical", "Red", "Emergency", "Category 1", whatever.
What matters is what avenue is open for attack and what the results of that attack will be.
1,000 level 12 vulnerabilities aren't anything compared to one single level 1 vulnerability.
Re:Bugs don't have to be well-coded (Score:3, Interesting)
This is (IMNSHO) not a bug. How would you accidentally introduce a bug that for one specific, non-valid, value the program would start executing code that has no place being there in the first place. This has nothing to do with printing. This has nothing to do with a callback to a function in the originating program to tell it the print job has been aborted. This is about executing code within the WMF file directly. It servers no purpose, especially since it only works if you give specific, non-random, invalid input to the WMF parser.
Re:Thread Creation (Score:2, Interesting)
I know i've modified some already working code to use inputs that would have been 'invalid' for before the modifications to add new functionality to small programs to do other things that are similiar without having to start them from scratch.
I could see this as being a way to allow unknown image formats encapsulated in WMF files to create processes to decode and display images that weren't of the type the original WMF knew about? I know this is just speculation, but it could be a neat way of doing things, a la, including the decoder along with the actual thing to be decoded, but also bad for security purposes.
Why hasn't he stepped into the WMF interpreter? (Score:5, Interesting)
Win98 is 8 years old -- so? (Score:3, Interesting)
It's not dead yet. You just wish it were.
Think about it like a programmer (Score:5, Interesting)
exit standard processing
encounter SetAbortProc
open thread to communicate with windows print manager
thread attempts to read [length] bytes for sub value, encounters overrun
this is where I'm guessing the real horrendous problem lies. I'm guessing that the original code ignores exceptions while pulling in the sub value, so in this case where code hits an overrun, instead of that sub value getting a few bytes of data, it just graps until . In this case that sub value winds up being the payload.
So there you go, key and payload on an independent thread because of a bad exception handler in a 12 year old block of code.
-Rick
still in use (Score:5, Interesting)
Re:Government backdoor? (Score:2, Interesting)
Also this is the reason that the German gov't commenced a project to create a special operating system for their needs wrt classified information. And although this is *not* public knowledge this is also why China has requested Microsoft's help in replacing the effected portions of Windows (I believe in good faith that I am probably not violating my NDA by bringing this up).
I have every reason to believe that this is accurate based on what I have seen.
Reflections on Trusting Trust (Score:5, Interesting)
But wait, there's more... (Score:5, Interesting)
I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code.
So, it accidently created a new thread, and directed the new thread to start executing code at the specific position? That's a whole different level of accident.
Oh, and Shimmer, I'll take that 5$.
Old coding practises, not conspiracy (Score:3, Interesting)
> that would set CPU execution *inside* the metafile
Actually, I think it was done for performance releases (remember, existed back in the Win 3.0 days).
Back in ye olden days, there was a common software practise called self modifying code. It was used in some implementations of FORTH, but it was far more popular on systems that had few registers like C64. It was generally used as a way to dramatically speed up code on those slow processors.
Have a look at the popular C64/Atari program SpeedScript (see http://www.atarimagazines.com/compute/gazette/198
The source code it gives an example:
"This module is chiefly concerned with the word processor editing functions.It contains many common subroutines, such as TOPCLR and PRMSG to clear the command line and print messages. It contains the initialization routines and takes care of memory moves (inserts and deletes). A second module, SPEED.2, is responsible for most input/output, including the printer routines. SPEED.1 is the largest file in the linked chain. UMOVE is a high-speed memory move routine. It gets its speed from self-modifying code (the $FFFFs at MOVLOOP are replaced by actual addresses when UMOVE is called). UMOVE is used to move an overlapping range of memory upward (toward location 0), so it is used to delete. Set FROML/FROMH to point to the source area of memory, DESTL/DESTH to point to the destination, and LLEN/HLEN to hold the length of the area being moved."
Re:Old coding practises, not conspiracy (Score:3, Interesting)
1) NT Win32 is a fresh implementation of the Win32. This doesn't share Win16 code.
2) NT, and especially Win32 is written almost entirely in C++. Ever try to do self modifying code in C++?
3) The security push from 2 years ago would have never let self modifying code pass.
4) Intel Procs aren't particularly suited to self modifying assembly.
5) Nobody on the Windows team would seriously consider using it, ever, even if it is joked about on beer Friday. Any attempt to use it in reality would start with a flogging and end with a firing.
Cue the following scenario (Score:3, Interesting)
A black van pulls up to your ISP, several men in black suits emerge and enter the office.
Agent A: We would like to access your network routers.
ISP clerk: Why? Who are you, can I see some papers?
Agent B: [Pulls out a black gun] You don't need to see our papers geek boy.
Agent A: Mr. Smith please, not yet. Our papers are in the mail, do you want to wait for them to arrive? Mr. Smith here hates waiting but if you want to force him to wait I am sure that is fine.
ISP clerk: [looks at Agent B playing with a blackened knife] In the mail you say? Oh that is fine, absolutly let me buzz you in.
Agent A: Thank you for your cooperation citizen. I will just be a minute, Mr Smith here will keep your company so you won't get lonely and feel the need to call anyone. [enters the machine room while Agent B plays with his knife]
Agent A: [returns after a few minutes] We will be leaving now. The goverment thanks you for your cooperation, please refrain from speaking with this about anyone.
The two agents leave and the ISP clerk decides that he needs another job.
Question: How to force a people to retrieve an infect WMF file? Answer: Control the network.
Any computer connected to the network does so because an ISP somewhere routes the calls to the proper adress. Rerouting it is trivial for the right people.
This could be done by the goverment in exactly the same way they redirect phone calls (You never seen a movie where people call phone X only to find themselves talking to phone Y without their knowledge?) OR another reason?
This "bug" is claimed to be new to windows 2000. Roughly the time of all those worms when it became impossible to patch a new windows online BEFORE it was infected. Now imagine the solution if this had gotten really out of control were a worm so nasty was out that EVERY windows machine connected to the net would instantly be infected. How would you patch all those machines? Especially considering how impossible it is to get users to actually PATCH their bloody machines? You could make the argument that what would be needed is somekind of solution were every windows machine connecting to the net would immidiatly be patched.
Cue every ISP being told to redirect their users to a WMF file (every isp is capable of this) and voila, instant enforced patching no matter how much you disabled MS update.
The only problem with exploiting this is for complete outsiders. The goverment has absolutly no problem exploiting this exploit to root your machine.
Is this the explenation? I don't know. I am just guessing and not accepting the easy answer.
malfeature (Score:3, Interesting)
So yes, it's a feature, but it isn't a good feature. It would be a misfeature, but I suggest that good and bad aren't sufficient to fully describe this. You need good, bad, and evil. Thus I suggest a new term for evil features like this: malfeature.
And that one can have "mismalfeatures", though I'd rather make that into "dismalfeatures".
Wine bug compared to MS (Score:3, Interesting)
In fact, the differences between the behaviour of Wine and Windows implies that there is indeed something very unusual about the way Windows handles this special case. Whether it is an intentional problem or just horribly bad coding, that is harder to say.
Re:But wait, there's more... (Score:2, Interesting)
Keep in mind there is an interpreting layer separating the WMF from the actual GDI call. It's entirely plausible that in some confusion the real Escape call is being passed the address of the argument in the script rather than interpreting the data in the script as the pointer value. Not only is this plausible, but it makes perfect sense -- any function interpreted in this context would have to work this way, for example, TextOut usually accepts a pointer to a string, but I bet in a WMF you would simply supply the string literal, and the WMF interpreter would pass a pointer to that data to the real TextOut.
The escape for AbortProc is the way to set the callback in the first place. But since the packet is messed up (the length is one rather than the proper length) then effectively the whole "ESC/AbortProc" packet should never even be properly processed.
It's likely that the length record is merely used to determine what to increment the pointer into the script by once the current packet finishes execution -- if this is the case, an invalid length would not effect the current packet, but then would cause problems after the current packet is processed.
Finally, someone has pointed out that the length does not have to be one [slashdot.org].
There is nothing outrageous about this in the least.
(OT) Re:Unparalleled BS from MS. (Score:4, Interesting)
The reporting during WWI damaged the credibility of all reporting during WWII.
jcr (53032): Allied propagandists didn't have the imagination to come up with anything like the holocaust.
They most certainly did have the imagination, but they realized that they did not have a willing audience for such accusations. Successful PR cannot be had with seemingly wild claims, especially if the organization has been shown to greatly overexaggerate in the past.
Re:But wait, there's more... (Score:3, Interesting)
So... What happens if you make an AbortProc packet, with embedded code instead of pointer. Then you set the length properly to point to after the code. Then there's another error later. Will it abort? Will it run the code? It's worth a test to someone with a test harness.
It's looking more like design. But maybe not malicious design, just "too clever for it's own good" design.
Other Explanations (Score:3, Interesting)
This, however, overlooks many other possibilities and, unless there is other evidence I am unaware of, suggests an ignorance of security vulnerabilities by those making the suggestion. Frequently security vulnerabilities result from data being interpreted in an incorrect fashion as a result of pointer munging or memory collisions. Often some perfectly innocent piece of data (like message length) will get used as an index into some table or mistakenly used in stead of the correct variable in some test and cause incorrect execution or privelege escalation of the user's code.
Even if there is reason to believe this isn't a simple code error like this there are many other explanations other than microsoft or an employees malevolence. For instance imagine this situation:
Initially Metafile execution is designed to execute code in the fashion of the vulnerability with no requirement on the header length. This is perfectly plausible if it was programmed by some new hire without much awareness of security. Hell, it could be a bug introduced to do some sort of debug or get something up and working fast which just got left in the codebase. I'm sure all of us have made a change to our code that screws over security just to do some testing and sometimes people forget about it or get fired.
In any case this security issue in the code base is there and some other parts of windows start relying on it. The security experts eventually notice the issue but by now other parts of windows will break if it gets fixed. Perhaps then the deciscion is made to partially patch the vulnerability but leave a special value for some fields which triggers the old behavior so as not to break the other parts of windows. If this is the case it would explain microsoft's recluctance to patch 95 and other old systems, because a patch would require rewriting some significant part of the system.
Perhaps microsoft even intended to fix the vulnerability but the blah-blah group asks the metafile group to leave in a workaround (the special values) so they can continue to work on the rest of their component. Maybe then the groups are late to the deadline and forget about that issue in their rush. Or perhaps by this time the group members who knew about the workaround have left and no one knows to go back and remove it. Or maybe this is fixed as part of some larger patch applied to the source tree and when it breaks the build late at night and someone calls the metafile team whoever answers doesn't realize its a security issue and backs out the change but forgets to tell the people who made it.
Whether or not I have the details right the point is clear. There are a hundred innocent ways for this sort of vulnerability to arise. It is silly to jump to the conclusion it is an intentional backdoor.
Re:Yeah... (Score:3, Interesting)
Re:Old coding practises, not conspiracy (Score:3, Interesting)
Most MS coding from this era (and even nowdays) is a bit of a mix. It is compiled as C++, but written in a mostly C style and given external C linkage. It's a weird mix. It did allow some C++ constructs that were disallowed prior to C99, like relaxing the location of variable declarations and such, and tightens up the type saftey a bit. It also allows some other nicities like structs used internally to occassionally have private members, although these more C++ aspects are rarely used. But yes, you are correct that it is primarily C stylistically (and for linkage purposes) but in reality it is C++ written in a way that makes C++ advocates cry.
Re:Another? (Score:3, Interesting)
Stranger things have happened. When a German law enforcement agency forced the developers of JAP (Java Anon Proxy) to put a backdoor in it, they put in code like:
And it was an open-source project. Someone later admitted that they were kind of hoping that somebody would notice it, because they didn't think they could legally expose it themselves. Maybe someone at Microsoft didn't think it was right for the NSA to install a back door, and they had a conscience. Wait, what am I saying? This is Microsoft!
I'm asking "Why?" (Score:3, Interesting)
If the vunerability was an accident it was stupid and it needs to be fixed. I don't necessarily buy Gibson's reasoning but, I can see how he got there and that is enough to be troubling to me.
Did some rouge programmer think "This is a cool idea? and against the rules just stuck it in there? I can't believe that Microsoft gives anyone that kind of autonomy. They have to have far better code review policies than that. That is harder for me to believe than anything else!
Did some group think that this backdoor coupled with some other software could be used for some acceptable purpose in the future? Did someone say "Hey, with some code off of the Genuine Advantage web site we can use this to disable some features on computers that are running pirated software. This is only an example but I hope you get my point. I can see how something like this may be considered and discussed. I'm not so sure it would make it past the lawyers though. Maybe it was started, aborted, and this was a trace that was forgotten about and slipped bye? This sounds a little far-fetched but I have seen useless bits of code left behind in other coding projects. I'd buy something like this even though it sounds like something out of a bad movie.
Did the NSA or some other agency approach Microsoft and ask to have something like this put in their code? We know that they have asked for encryption code before so that they could examine it so maybe this kind of idea isn't so strange? An exploit that the government knows about could give them a significant advantage in cyber-war. Frankly, this sounds like a Tom Clancy wannabe's plot for a novel. But it could happen.
Honestly though all of this stuff sounds like conspiracy-theory stuff to me. My guess is that it is more innocent than all of that. I'd guess the exploit is a leaving. Something that got left behind from some piece of code that simply didn't make the final cut.
I'd just like Microsoft to explain themselves this one time. Completely, thouroughly, honestly. Then they can tell us what they will do to ensure it won't happen again.
MSRC responds: Intentional Back door? um no. (Score:3, Interesting)
http://blogs.technet.com/msrc/archive/2006/01/13/
I emailed Zonk about it but I don't think he's had a chance to update the posting.
Long story short the idea that this is intentional rests on the premise that only an incorrect value produces the vuln. That is totally wrong, both correct and incorrect values trip the vulnerability. Besides doesn't it seem odd to create a backdoor that would require the user to first visit a website? What, were we going to take out a superbowl ad suggesting people visit www.microsoft.com so we could...uh...what exactly?
S.
Re:Plenty evidence....like the backdoor CODE! (Score:1, Interesting)
I've no idea what SuperSystemDefender is, never heard of it. He sells SpinRite [grc.com], a commercial product for system restore and recovery, written entirely in assembly, and it's , been selling it for years, in fact I used it since Win 3.0. Read the reviews - it's an excellent product. He does have a bunch of freeware programs available on his site to test your Windows security. Free, not shareware. He even recommends ZoneAlarm, as one of the few decent firewalls.
As far as hype, I think you're confusing hype, like Microsoft hyping Vista, with real security issues, such as DOS (Denial Of Service). Since when is this hype? I'm curious. Gibson makes alot of squawking, but he backs it up. He found issues with Microsoft's raw sockets [grc.com], and they took it out in SP2 - that was fairly important security fix, wasn't it? I'm curious how that's bomb throwing, when Microsoft went and fixed it. [What I'm really curious about is why folks get so defensive about Microsoft and security. Why attack the whistleblower?] If that's hype, well, more power to the guy. If it helps him sell a few copies of SpinRite, or get a few visitors to his excellent site, so what? I could think of worse things - like spreading FUD, say. Or like selling a product full of security holes, taking a long time to fix them, and furthermore, sometimes not even fixing them.
Re:I would not be suprised at all. (Score:3, Interesting)
Until I see strong reason to doubt his findings, I'll be reading his articles with great interest. To reiterate my previous post, what Mr. Gibson has described is exactly what a backdoor does. It is not a trivial programming task to spawn a new thread and then start that threads execution at the byte following a single invalid wmf record descriptor. Get one of your programmer friends to explain the steps necessary to perform this sequence. If you can't get a good example, then post back here and I'll give you some pseudo code to outline how non-trivial it is and also show how unlikely that this is just a bug.