WMF, one year later

According to the eEye Zero-Day tracker the infamous Windows Metafile (WMF) exploit (CVE-2005-4560) was disclosed Dec. 27th 2005 (where they seem to be considering disclosure to be this BugTraq message). I have been wanting to write a little bit about this even though it's a year old since it is in some sense archetypical of the year that would follow. Therefore it seems appropriate for me to write something up on its one year anniversary. It was not the first major IE flaw by any means, but it was one of the first major vulnerabilities which was found being exploited in the wild. While I was refreshing my memory to get my facts strait, I came across a nice little timeline of browser vulnerabilities on the Washington Post Security Fix blog here which covers . This gives you a sense of the vulnerabilities which were being found, disclosed, and patched in the year leading up to the WMF vulnerability, but it also shows that before this, the majority of flaws were not being found in active malware. While the definition of a zero-day is the disclosure (by whatever means) of a vulnerability before a patch is available (or by original usage, on the day of a patch being made available, hence the name), it is clearly more disastrous when its disclosure is not someone posting it on a security mailing list, but instead someone stumbling across it while analyzing new, live, malware.

At the time some people were running about wondering how a worm would/could be constructed from this client-side exploit. Of course, botnets were already ramped up and therefore these were the primary utilizers of the exploit, along with less sophisticated standalone spyware installs. (To which a Full-Disclosure thread of the title "Someone wasted a nice bug on spyware..." was started ;), of course few people realize just how much money can be made by mass installs of spyware which give "referral" bonuses)

How did the exploit work?

For more information about the WMF format itself and a little history, you can see this Wikipedia article. But I would like to show a nice video (.wmv file) of the exploit in action, courtesy of WebSense. I like it a lot. It reminds me of a bug trapped in amber. :) Anyway, fundamentally it was a library vulnerability in the Graphical Device Interface library (GDI32.dll) which meant that anything which was capable of opening .wmf files was exploitable, and since IE used it as one of the filetypes it would auto-display (by making the vulnerable library calls) it was a particularly obvious target. Another fact which came out of the mix was that even if the file extension was changed to something seemingly innocuous such as .jpg or .zip, its filetype would still be correctly determined based on the "magic numbers" at the beginning of the file. This meant that it could bypass filters when corporations were trying to stop people sending it via email or via application-level firewalls/proxies as well.

What made WMF special?

This is the crux of the issue: Technologically, nothing made it special. Image exploits had been found in the past which could do the exact same thing this could. For instance, consider CVE-2004-0200; it was an exploit for JPEG images, which are obviously more ubiquitous and seemingly safe. The difference between this and the WMF exploit? This was GDIPlus.dll and WMF was GDI32.dll ;). eEye had found multiple vulnerabilities in the same library just months before. Even exploits for IE itself (not relying on any additional library) were known prior to this as well. As far as I can tell (and I may be wrong), the only thing that made this such a big ruckus at the time was the fact that it was a literal "found in the wild" exploit, which were genuinely rare at the time. Compare that to the whole of 2006 when the same type of exploits were being routinely being found in IE or MS Office, and I feel like we've almost been anethesized to the full danger of such vulnerabilities by their seeming ubiquity. Take a look at that zero-day database link at the top again and scroll all the way down to the bottom. What you see is a 2003 one, then a 2005 one, then WMF and then a ton of zero-days in 2006, largely client-side exploits. Although work on the MITRE HoneyClient project was begun well before the WMF exploit ever saw the light of day, this year has clearly proved its necessity as a tool for finding client-side exploits.