WMF Vulnerability is an Intentional Backdoor?

An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.

SetAbortProc

[jwegy]

Yeah, SetAbortProc is used for cancelling print jobs. Here is the MSDN documentation: SetAbortProc [microsoft.com]

Steve Gibson is a crackpot

[Sycraft-fu]

Please remember this is the same Steve Gibson who claims to have invented a new amazing "nanoprobe" technology for port scanning which he claims is a first to the world and can do just about everything. Of course turns out to just be specially crafted TCP packets with no payload, which nmap has done since forever.

The guy is a massive alarmist and I wouldn't take anything he says seriously. He loves to cry about the end of the digital world type scenarios, perhaps because he really believes it, or perhaps because it gets him more business.

Please not Gibson again...

[Anonymous Coward]

Steve Gibson is not a security expert

http://www.grcsucks.com/ [grcsucks.com]

Yeah...

[TheAwfulTruth]

Isn't this the same Steve Gibson that was freaking out about how Raw Sockets in XP were going to destroy the world a couple of years ago?

S.G. is a flaming idiot, he looks for (and imagines) ghosts and spooks in every corner. Then flogs his conspiracy theories to promote himself and his buisness. This probably holds about as much water as the "discovery" of cold fusion and Korean human cloning.

Why aren't we reporting on REAL bugs like the 4 security vulnerabilities found in iTunes this week which opens both Windows and Mac users to external attack? Was the Microsoft bashing quota too low this week?

What is becoming of /.?

That seems to be the one

[Anonymous Coward]

PJ posted this story over at Groklaw. Many posts replied that, based on this guy's previous record, his accusations are not trustworthy.

Before I believe this story, I want to see independent confirmation by someone I trust.

Re:KnockKnock

[Anonymous Coward]

The preliminary tester link is posted in the news section of the
discussions at http://www.grc.com/groups/news [grc.com]

http://www.grc.com/miscfiles/MetaFix.exe [grc.com]

This guy is a moron.

[gregarican]

I browsed over several posts on his website and come away with the conclusion that he is a few fries short of a Happy Meal. Here's one posting that I found really amusing:

"Thank you Microsoft for blessing us with a patch to fix the products
you currently sell. The products that compete with Linux and Macintosh.
Excellent job at diverting the our attention away from the fact that
Windows 95, Windows 98, Windows 98SE, Windows Millennium Edition, and
Windows NT4 remain vulnerable. Neat trick convincing people that "the
vulnerability is not critical because an exploitable attack vector has
not been identified that would yield a Critical severity rating for
these versions."

Lemme see here. Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?

Ridiculous.

Re:Length==1

[atfrase]

Basically, in the header block for a unit of WMF script contains a "length" field which specifies how long the current unit is. This is standard for this sort of file, and is the primary way to avoid buffer overruns (if you force the data to tell you how big it's supposed to be, and then double check that while reading, you make sure you have enough buffer space to store it all -- otherwise you might read too much, overrun the end of the buffer and trash an important function pointer or something..)

In this case, the smallest possible "length" value is 6, because the header itself takes 6 bytes, so even if the unit had no actual data, the length field itself and the unit's command code is a minimum of 6 bytes.

To trigger the exploit, the length must be set to 1. Not 2, 3, 0, or some other equally invalid value, but only the value "1". Any other value has no effect at all.

Would be a Crappy Backdoor

[ErMaC]

While the guy makes some good points, there's one point I think he's overlooking. He claims motive for this would be to allow Microsoft or someone else to get into older/current Windows systems as an intentional backdoor...

If that's the case, they chose a dumb place to put it, because the exploit doesn't even work on Windows 2000 and below without some program installed to handle WMF files. From Larry Seltzer's blog (linked from F-Secure):

http://blog.ziffdavis.com/seltzer/archive/2006/01/ 03/39684.aspx [ziffdavis.com]

Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files. One ironic point to conclude is that not until their most recent operating system versions did Microsoft include a default handler - the Windows Picture and Fax Viewer - for what has been, for years, an obsolete file format. And now it comes back to bite them.

That means that unless Microsoft used some OTHER backdoor to install a handler for it, this backdoor is useless. I suspect this is merely an oversight on their part, and that it just ends up looking bad when you view it from the outside. The only way to know is to see the source code and well, we know how likely that is.

A real backdoor would be something remotely exploitable via the network, as opposed to hiding inside a file or something like that.

Re:Government backdoor?

[einhverfr]

The first NSA-induced backdoor that was well documented was in Windows 95/98/ME and NT4 and later. A reasonably good writeup is found at http://www.heise.de/tp/r4/artikel/5/5263/1.html [heise.de] (english).

Needless to say, I am not at all surprised that there might be all sorts of backdoors in Windows that we may never know about. This is a really good reason *not* to use it in any environment requiring security.

Re:Ah, nice Ad-Hominem attack in there...

[undeadly]

IMHO your "debunking steve gibson" site is nothing but a smokescreen to divert the attention from Microsoft's vulnerabilities and backdoors.

In my not so humble opinion, you don't know what you are talking about. Go read some of the links in that site, and you'll see that Steve Gibson is one of the many "security experts" that have no clue but gives dangerous and very wrong "solutions".

Re:Steve Gibson is a crackpot

[Rashkae]

Overlooking that Wine has innadverdantly re-created this 'back door' by following the API spec. This is all by (poor) design, no code back doors involved. Not even a bug, per say, since it's working as designed.

Re:I would not be suprised at all.

[Stripe7]

Someone mentioned on Groklaw that the exploit also exists in wine which just implements the WMF spec.

Re:You're on

[rbochan]

Like that'd be a tough thing to do [grcsucks.com]...

blank admin password

[Mr 44]

Get a clue, troll- if you have a blank admin password, XP prevents ANY remote network access using that account. You are actually more secure with a blank password.

Re:Another?

[monkeydo]

Actually, it's pretty well known that that isn't what happened at all [schneier.com].

Re:Government backdoor?

[monkeydo]

Paraniod speculation. Much like the current story.

Sun and HP for two

[Secrity]

"Windows 95 is 11 years old. Windows 98 is 8 years old. Windows ME is 6 years old. And Windows NT4 is 9 years old. How many other operating systems offer patches and support product versions for software that is that old?"

I know of at least two. Both Sun and HP still provide support or patches for versions of UNIX System V that are older than Windows 98.

Re:Government backdoor?

[Dibblah]

However, the patch was out to WINE before it was out for Windows.

Re:What about wine?

[Deanalator]

The only thing that I can think of would be blind reverse engineering or something. No offense to whoever submitted the code, as Im sure that can be taken as a massive insult (I know I would be annoyed if someone made accusations like that about my code). Maybe the wine developer was just very anal about the specs and didn't realize what could be done with it, but it is a good defensive point for microsoft.

Re:I would not be suprised at all.

[towsonu2003]

Someone mentioned on Groklaw that the exploit also exists in wine which just implements the WMF spec.

http://ubuntuforums.org/showthread.php?t=113611 [ubuntuforums.org]

Jumping to conclusions.

[matman]

Having read the whole thing, I do think that Steve may be jumping to conclusions a bit too quickly.

I think that we ARE talking about the SETABORTPROC vuln that everyone has been talking about; Steve just finds that the vuln doesn't work quite the same way that he was expecting. It seems that Steve is basing his accusation on the fact that he had to set the length field of the code containing WMF record to 1 (an illegal value) in order to get his code to execute. While this seems odd (and sounds like a "magic value"), there is likely a better explanation. Here's one possibility... The advisory from Secunia at http://secunia.com/advisories/18255/ [secunia.com] says that the embedded code executes when any error is detected in parsing the WMF file (not only [or ever?] when canceling printing). Maybe the SETABORTPROC function was originally intended for printing but was overloaded to handle parse error callbacks? Depending on how the parsing code was written, it may treat the invalid length value as such a parsing error, but may have already indexed the the beginning of the code block (since it knows the length of the record header) - it just doesn't know when the code block ends. It can then start executing the code block, even though it is an error in the code block's record that caused the error. I wonder if the code block would execute if the correct length was specified but the NEXT record in the WMF contained a similar error (like an invalid length field).

He may very well be correct that someone has intentionally included this mechanism as a backdoor, but he is being premature in making such claims without first consulting the people who have a lot more experience with this vuln than he does. By the way, MS gives access to their source code to a LOT of outside parties - I'm sure that Steve could have found someone to take a look for him.

I don't mean to make an ad hominem attack (this podcast is actually fairly accurate - just jumps to conclusions), but Steve isn't exactly known for being a respected researcher in the security industry - he's a bit of a poser and sensationalist/alarmist. My gut feel is that Steve is continuing on his sensationalist streak, jumping to conclusions and trying to drum up more excitement. He frequently hypes issues to crazy levels and tries to make himself look like a hero/expert. In fact, he usually offers little insight and often tries to pass off regurgitation (often inaccurate) as original research. Just listen to him in this recording talking about "rolling up his sleeves" and "wrote all my own code", etc. Look up his stuff on nano-probes (http://grc.com/np/np.htm [grc.com]) for some funny stuff. I am a security professional and can tell you that much of his writing is BS and/or hyped/obfuscated wording for technologies and techniques that have been in common usage for years and years before he writes about them. I just can't help but take Steve's claims with a grain of salt.

Re:Government backdoor?

[einhverfr]

First you have to understand what the ramifications of this are likely to be.

The NSA is (in theory at least) legally forbidden to spy on Americans. Their main mission involves cryptoanalysis (codebreaking) and signal intelligence. So they spend a lot of time in foreign countries evesdropping on cell phone calls and the like. They have also been very much involved in the development of computerized cryptography (witness their role in the creation of DES). In this latter case, they have probably attempted to balance their interests in codebreaking with the legitimate interests in algorythmically secure encryption (i.e. make DES algorythmically secure, but shorten the key so we can break it if we really have to).

The rise of independant professional cryptography organizations, like RSA, Inc. has created a very serious problem for the NSA in this regard. In general, most of these new systems use variable length keys and are highly peer reviewed for attack potential. So the NSA cannot count on being able to brute force decrypt a document within a reasonable timeframe in the event of a clear and present need to decrypt the information.

Therefore, I believe that most of these are there to allow the NSA to bypass the encryption algorythms in Windows and allow them to access the information without having to attack the encryption. This would make reasonable sense given the NSA history.

Now, I see *no* reason to suppose that the NSA has anything to do with the WMF exploit. Instead, I suggest that this is likely to be a backdoor either put in place by a developer, at the request of a partner (such as the RIAA), etc. This backdoor has *nothing* to do with anything the NSA typically gets involved in, so I think even the most paranoid analysis can rule them out. Instead, this is just a strange attempt to allow the Media Player to be subverted and used in what ever way an attacker decides.

Now, Microsoft's response to this has been inadequate (they only grudgingly developed a patch), which suggests that this backdoor had the blessing of the company, much like the response to the Sony DRM rootkit which was undetected by agreement with First4Internet. Lest I appear to be too hard on Microsoft, I found Symantec's response ("Oh, we will start removing it" when First4Internet claims they were working with Symantec to ensure that it would not be removed) to be far less trustworthy.

Anyway, there is enough doubt in my mind about Microsoft's goodwill on these areas that I would not suggest running Windows in any environment that absolutely requires security. The system has fundamental design flaws from a security point of view, and these problems continue to underscore either serious development issues at Microsoft or an attitude that the security of the customer is not really that important.

Re:Steve Gibson is a crackpot

[RShearman]

The Wine bug was a different bug. The SetAbortProc record specifies a pointer to a function which will be executed at a later point, and which it would be difficult to set to arbitrary code in the WMF itself, whereas this bug appears to be creating a thread which immediately runs starts executing the instruction at the next byte in the meta file.

Re:I would not be suprised at all.

[mohaine]

I thought this as well, but if you RTFA, you would see that Gibson doesn't think the SetAbortProc WMF exploit works the way it should.

According to the docs, SetAbortProc should provide a pointer to callback function that is called when a print is aborted. This in itself sounds like a security hole, but it could only be fired if the print is canceled, and then it can only run a preexisting callback method, not arbitary code.

According to Gibson, if you call SetAbortProc with a special key, it will instantly start running arbitary code from within the WMF. No cancelled print or preexisting method calls are requried.

If Gibson is correct, this bug is much different then how it looks on the surface.

Re:Who DOCUMENTS their evil backdoor?

[RShearman]

Wine has a different bug related to the SETABORTPROC record, but with a valid length field, not the special behaviour with a length of 1 described in the transcript.

Re:Length==1

[StarDrifter]

For me, that length==1 trigger is the most convincing evidence.

It might have been convincing if it were true. The vulnerability checker [hexblog.com] from Ilfak Guilfanov's site uses length==17 to trigger the exploit (Look in the wmfhdr.wmf file in the source zip. The length is a little-endian DWORD at offset 0x12.)

The Metasploit module [metasploit.com] uses a length of 4. Check out the following snippet:

    #
    # StandardMetaRecord - Escape()
    #
    pack('Vvv',

        # DWORD Size; /* Total size of the record in WORDs */
        4,

        # WORD Function; /* Function number (defined in WINDOWS.H) */
        int(rand(256) << 8) + 0x26,

        # WORD Parameters[]; /* Parameter values passed to function */
        9,
    ). $shellcode .

I think Steve Gibson is confused.

Re:Wine proves TFA wrong

[spitzak]

Apprently WINE does not have this length==1 bug. It has the documented bug, which is "the next 4 bytes of this file are interpreted as a pointer to jump to if you abort printing", which is bad, but not exactly this.

I'm not really buying this guys explanation, however. Software errors can have very strange side effects. Probably the short length causes it to reuse (rather than overwrite) the contents of some buffer as the code pointer, and that buffer just happens to contain a pointer to the next record of the metafile, and the length is also considered an error by some other code and thus triggers an "abort". A length of zero is detected and skipped correctly, while lengths of 3 or 4 overwrite enough of the pointer so that it does not work, making this 1 case the only one.

Re:I would not be suprised at all.

[jez9999]

Furthermore, if Gibson is so sure of himself, why isn't his own test utility available to everyone?

Eh? I just downloaded it, it's linked to from here [grc.com].

Re:Government backdoor?

[man_of_mr_e]

Actually, Bruce Schneier's analysis is somewhat different.

http://www.schneier.com/crypto-gram-9909.html#NSAK eyinMicrosoftCryptoAPI [schneier.com]

The fact is, the majority of the people making claims about this don't even understand what it does. The majority of the speculation isn't possible. It doesn't give anyone (Not even Microsoft, much less the NSA) a backdoor into your computer.

Re:blank admin password

[John Newman]

Hmmmn, thats an interesting band-aid.

Must be a pretty recent band-aid, too, since I deloused an XP computer exactly one year ago that had a blank admin account password, and which had been pwned by a worm that spread precisely by trying to log into everything it could see using administrator/[blank].

Re:Government backdoor?

[ray-auch]

You have some wierd definition of "before".

Official, tested, binary patch for Windows released on 5th Jan. Unofficial & leaked-official patches were out even before that.

WINE was patched in CVS on the 6th.

Checking in a change to source is a long way off a tested patch release, as demonstrated by Crossover Office releasing the fix on the 10th.

My belief is that Open Source is usually patched quicker - but not this time. One suspects that at least some of the "many eyes" normally on the code were too busy laughing and pointing at MS to check if they too had been caught with trousers down.

Re:Wasn't it actually DES?

[Ashinberry]

Actually the changes suggested by the NSA increased the strength of DES rather than decreasing it.

http://www.schneier.com/blog/archives/2004/10/the_ legacy_of_d.html [schneier.com]

Re:Another?

[Nynaeve]

Did you not even read your own article? It's not a registry key -- it's a signing key. Furthermore, the key exists and can be replaced with a known key-pair. You can't know it's "paranoid fantasy" or "urban legend" any more than a tinfoil hat can prove it isn't.

Therefore, any objective judgement must be based on the fact it exists, regardless of how it got there. Arguing about whether it was specifically for clandestine NSA activity is pointless, but I don't like the fact these sorts of things exist.

From this page [heise.de] linked from another comment [slashdot.org]:

The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's [extern] website.

Re:I would not be suprised at all.

[LinuxGeek]

I'll safely assume that you didn't RTFA since you don't already know what I going to tell you.

What Steve initally found was that he had a hard time getting the SETABORTPROC function to execute wmf embedded code as he had read the vulnerability was allowing. After looking at some of the exploit code that was available, he started experimenting with illegal wmf record header sizes and one ( and only one) illegal record size would actually prompt windows to spawn a new thread and then start executing the bytes within the wmf data stream directly. The SETABORTPROC supplied code entry point is completely ignored.

This behaviour will allow remote execution of arbitrary code on unpatched systems.

Gibson saved your ass, thank him

[Anonymous Coward]

but instead they like to make spurious accusations that it is a 'backdoor' so they get more hits to their website.

Uh, you obviously don't know Gibson. He's not some idle slashdotter, he's a hacker in the true sense of the word, does all his coding in assembly, and is seriously familiar with the internals of windows, as a long-time Windows user.

The point everybody here is missing, as all the Microsofties come out of their holes, and take a break from patching their systems, is that Gibson is not saying Microsoft is spying on you dimwits (although who knows, maybe they can) - he's merely saying this is a backdoor - he hasn't a clue why they put it there - but - and get this straight - it _is_ a backdoor. RTFA. Who wrote it, why, well never know, that's the problem with closed source.

Re:ENOUGH. Gibson was right about raw sockets.

[Russellkhan]

"(originally posted as AC because I'd moderated; however, even posting as an AC, the code retroactively undid my moderation. Didn't know that would happen. A little warning, Slashcode?)"

I believe that's intentional. I think some people get around it by either logging out and posting AC logged out or by using a whole 'nother browser, again, not logged in. Can't really say for sure, I haven't tried it.

I probably should post this AC, since it's pretty far from on-topic for the story, but I prefer to be able to know if someone replies to my posts, even if they're OT.

Gibson wrong yet again.

[mkraft]

His conclusions once again are completely incorrect.

See the following post for why this occured.

http://blogs.technet.com/msrc/archive/2006/01/13/4 17431.aspx [technet.com]