WMF vulnerability. New info.

[phillip4213x]

New info. Potential bombshell. Go to http://www.twit.tv/ and listen to "Security Now" with Steve Gibson and Leo Laporte. Latest info about WMF windows issue.

 

[Nothinman]

Steve Gibson is a tool, I wouldn't listen to anything he has to say on any subject.

 

[P0ldy]

Since he thinks it's an "intentional backdoor" by MS, I can see what you mean. But, why else do you say that? I've never heard of this guy.

 

[phillip4213x]

Why not? It's pretty interesting. Tool of what?

 

[phillip4213x]

go to grc.com. All about Steve Gibson.

 

[Nothinman]

Why not? It's pretty interesting. Tool of what?

Tool of his own stupidity. Tool is derogatory slang, it's just another way of saying he's an idiot.

His previous rants on the raw sockets in XP were uninformed and stupid. He writes all of his apps in assembler for absolutely no reason. It's too bad too, cause some of the topics he covers are important, but he always puts an idiotic, radical spin on everything.

 

[stash]

That moron has no respect in the security community whatsoever. If you get a so-called security expert quoting Steve Gibson, run as far away as you can.

 

[n0cmonkey]

Damnit, someone was telling me about this earlier and I was thinking William Gibson. :|

 

[spyordie007]

Originally posted by: P0ldy
Since he thinks it's an "intentional backdoor" by MS, I can see what you mean. But, why else do you say that? I've never heard of this guy.

I dont have any reason to believe that his intentions are bad, he's just overly fanatical about things that sometimes really just dont matter...

 

[LemonHead]

Actually, the guy is pretty damn smart! Sure he's a bit eccentric, but in pretty much all cases he is right-on with his assessment of discussed topics. And as for the Raw Sockets, he was proven correct on his standpoint. Microsoft eventually removed Raw Socket support from XP after it became apparent that it was, in fact, being exploited as Steve had said would happen.

As for coding in assembler it's his choice. Who are we to say what is and is not and acceptable language to use? I have to say that in this day of apps that are "bloat-ware" his stuff is quite small and well coded. I think everyone who bashes him does so out of ignorance.

 

[Nothinman]

And as for the Raw Sockets, he was proven correct on his standpoint. Microsoft eventually removed Raw Socket support from XP after it became apparent that it was, in fact, being exploited as Steve had said would happen.

Please tell me where/how they were exploited. Worst case they let you craft some invalid packets that won't make it past the local subnet. And raw sockets are incredibly useful for low level things like DHCP clients and they requird administrative rights to use. They were properly secured from their inception, the fact that most users ignore the security provided by MS is irrelevant. I mean really, libpcap is available for Windows, if an attacker want to use raw sockets he knows he needs admin rights anyway so the extra step of installing libpcap isn't going to slow him down.

Who are we to say what is and is not and acceptable language to use?

Those of us who care about security, as he pretends to do. It doesn't take a genious to realize that languages like C and asm are prone to buffer overflows and need to be audited with a fine toothed comb to be even remotely sure there isn't a problem. Sure it's his time to waste writing it, but I'll never run any of his software.

I think everyone who bashes him does so out of ignorance.

s/bashes/supports/

 

[LemonHead]

Originally posted by: Nothinman

And as for the Raw Sockets, he was proven correct on his standpoint. Microsoft eventually removed Raw Socket support from XP after it became apparent that it was, in fact, being exploited as Steve had said would happen.

Please tell me where/how they were exploited. Worst case they let you craft some invalid packets that won't make it past the local subnet. And raw sockets are incredibly useful for low level things like DHCP clients and they requird administrative rights to use. They were properly secured from their inception, the fact that most users ignore the security provided by MS is irrelevant. I mean really, libpcap is available for Windows, if an attacker want to use raw sockets he knows he needs admin rights anyway so the extra step of installing libpcap isn't going to slow him down.

Quote from Microsoft: "We have removed support for TCP sends over RAW sockets in SP2. We surveyed applications and found the only apps using this on XP were people writing attack tools."

Who are we to say what is and is not and acceptable language to use?

Those of us who care about security, as he pretends to do. It doesn't take a genious to realize that languages like C and asm are prone to buffer overflows and need to be audited with a fine toothed comb to be even remotely sure there isn't a problem. Sure it's his time to waste writing it, but I'll never run any of his software.

What does coding in Assembly have to do with security? I'm just saying that he can use whatever he wants.

I think everyone who bashes him does so out of ignorance.

s/bashes/supports/

 

[Nothinman]

Quote from Microsoft: "We have removed support for TCP sends over RAW sockets in SP2. We surveyed applications and found the only apps using this on XP were people writing attack tools."

So? That doesn't prove they've ever been exploited. I can think of a half dozen tools that I use on Linux that use raw sockets for legitimate purposes and most of them have Windows ports. And as I mentioned, I'm sure those people writing attack tooks just switched to using libpcap. I bet it didn't cause them more than 15 minutes of work.

What does coding in Assembly have to do with security? I'm just saying that he can use whatever he wants.

Have you ever tried working with strings in assembly? It's like asking for someone to overflow a buffer for you.

 

[n0cmonkey]

http://www.grcsucks.com

Cloaking your ports is retarded.
Raw sockets aren't a threat.

 

[LemonHead]

Originally posted by: n0cmonkey
http://www.grcsucks.com

Cloaking your ports is retarded.
Raw sockets aren't a threat.

That site is retarted.

 

[n0cmonkey]

Originally posted by: LemonHead

Originally posted by: n0cmonkey
http://www.grcsucks.com

Cloaking your ports is retarded.
Raw sockets aren't a threat.

That site is retarted.

Which part in particular. I've gone over why cloaking your ports is the stupidest idea in the world before on this site, at least be a bit more verbose.

Also, please list the applications exploiting raw sockets that cannot utilize winpcap and prove that they are evil (despite the fact they've been available on advanced OSes for a while now). Thanks! :beer:

 

[Nothinman]

That site is retarted.

If by 'retarded' you mean it contains articles and links to articles that clearly explain why Steve Gibson is clueless, then I guess you're right. The only thing I don't really like about it is that a lot of the articles are hosted offsite and were written by a lot of different people so the tone, quality and writing styles of them vary greatly.

 

[Mark R]

That interview is hilarious.

This flaw could so easily just be a simple programming bug, but Gibson just can't see it. He just goes on and on that this must be a deliberate backdoor.

This is how I see the flaw working - nothing malicious, just failing to check values that could lead to code execution.

Failing to check that a 'length' parameter is valid - performing arithmetic on that invalid length, and therefore exposing a variable internal to your program to the SetAbortProc function. What if that internal variable is a pointer to the next byte in the WMF? Since this function is meant to be a callback from a driver - it pretty much has to get its own thread spawned. If an invalid address is specified (length of 0,2 or 3) the thread spawning will fail and the driver will silently carry on with its normal work.

But why use have a command in the WMF spec that is meaningless?

Again, it's just sloppiness - WMF is a way of recording all the actions used to draw some text/graphics on a 'Page' (actually something called a Device Context). To keep things simple WMF includes every command that a DC has, whether they are relevant or not.

 

[CQuinn]

Plus this would have to be the stupidest backdoor in the history of hacking.

Microsoft already has a half dozen <b>legitimate</b> means of gaining acess to a system, any of which would be
a much more logical candidate for building "backdoor" codes into.

 

[Nothinman]

Microsoft already has a half dozen <b>legitimate</b> means of gaining acess to a system, any of which would be
a much more logical candidate for building "backdoor" codes into.

Huh?

 

[spyordie007]

Please tell me where/how they were exploited. Worst case they let you craft some invalid packets that won't make it past the local subnet. And raw sockets are incredibly useful for low level things like DHCP clients and they requird administrative rights to use. They were properly secured from their inception, the fact that most users ignore the security provided by MS is irrelevant. I mean really, libpcap is available for Windows, if an attacker want to use raw sockets he knows he needs admin rights anyway so the extra step of installing libpcap isn't going to slow him down.

I agree, if Gibson were really as big on security as he claimed he would have been going after users for running as a local admin rather than going after Microsoft as though this is their issue.

He'd be better off writing one of his little apps that give bright red letters stating "YOU ARE AN ADMIN" if you are logged in as a local admin

Microsoft already has a half dozen <b>legitimate</b> means of gaining acess to a system, any of which would be
a much more logical candidate for building "backdoor" codes into.

Are you trying to be funny?