XnView crashes with *.wmf-exploit-image

bloodflash · Post by **bloodflash** » Tue Jan 03, 2006 3:18 am

Testcase:
http://www.heise.de/security/dienste/br ... wmfexp.php

This URL loads a Test-Image for the Windows-WMF-Vulnerability from the german IT-mag "c't".
This image forces XnView to crash immediatly on my W2kSP4-System.

Danny · Post by **Danny** » Tue Jan 03, 2006 6:25 pm

Well, in this case, that's better than executing the embedded code at least.

Guest · Post by **Guest** » Wed Jan 04, 2006 6:36 am

But some users won't recognize the reason. And when a similar image is saved in the XnView standard-startup-folder such a user can't use XnView any more!

helmut · Post by **helmut** » Wed Jan 04, 2006 8:44 am

Danny wrote:Well, in this case, that's better than executing the embedded code at least.

Does XnView crash before executing the code or after? (Maybe a dumb question, I'm not deep in the WMF exploit discussion).

ckit · Post by **ckit** » Wed Jan 04, 2006 8:46 am

None of you, should be discussing this until Microsoft has released their patch on Tuesday 10th Jan.

Win2000 users:
From command line, type "regsvr32 -u c:\winnt\system32\shimgvw.dll"
and press Enter any other bugs will have to wait for now.

Guest · Post by **Guest** » Wed Jan 04, 2006 10:27 am

Code: Select all

regsvr32 -u %windir%\system32\shimgvw.dll

Does not help. At least not on my W2K system. The German magazine c't has published a test for this exploit (which will run calc.exe) and calc.exe is executing when opening the test file with XnView (even after running the above line).

IrfanView simply complains about an invalid file format. I will switch to IrfanView until this has been solved

robc · Post by **robc** » Wed Jan 04, 2006 11:06 am

It's obvious that it's no use unregistering the DLL in this case: doing that just disables standard opening and processing of a WMF file saved on a disk, if you've associated image files with other applications than Windows Picture and Fax Viewer, the result depends on that application's behavior. The flaw lies in gdi32.dll, which is at the core of the Windows graphics subsystem, so any and all apps using standard APIs for WMF processing (thumbnailing, indexing, opening etc.) may be vulnerable... not to speak of the fact that browsing to a page containing a malicious WMF may be enough to get hit, since of course the browser doesn't use that DLL to render WMFs.

Guest · Post by **Guest** » Wed Jan 18, 2006 6:12 am

how do u stop it? firefox seems to open wmf for me in wmp.

could a pac file work, going to options>file types and removing any thing that opens wmf?

Drahken · Post by **Drahken** » Wed Jan 18, 2006 4:50 pm

You can use a PAC file to block any file with the .wmf extension, although that won't help if they rename the file to "worm.jpg" or "worm.png" or some such.

Go to about:config and search for "ask", you should find 3 entries:
browser.helperApps.neverAsk.openFile
browser.helperApps.neverAsk.saveToDisk
browser.helperApps.alwaysAsk.force

Edit the openFile one and make certain to remove any wmf entries. Now add WMF to one of the other 2 (always ask is safer, but saveToDisk should be safe as well).