Jump to content


Photo

MS04-028 exploits released!


  • Please log in to reply
19 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 September 2004 - 11:02 AM

FYI...from the Internet Storm Center:

- http://isc.sans.org/...date=2004-09-23
Updated September 23rd 2004 16:30 UTC
"This is a preliminary diary, and will be updated throughout the day, as the situation warrants, due to the possibility of a rapidly emerging exploit, or worm, we are releasing this early.

Over the last 24hrs, several exploits taking advantage of the JPEG GDI vulnerability (MS04-028) have been released. We expect a rapid developemnt of additional exploits over the next few days. Tom Liston has put together a scanner, which will scan your systems for vulnerable versions of the GDI libraries you can get it at:
- http://isc.sans.org/gdiscan.php
This program should have an MD5 checksum of (91ff45c6158e77eb57fbf6fbe38f05d1). Several non-microsoft programs include versions of GDI libraries which are vulnerable to exploitation. Using this tool you can identify programs which may be vulnerable, and attempt to obtain updates from the software developer..."

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 September 2004 - 01:24 PM

Another interesting (and long) read, related to this:

- http://www.sarc.com/...tent/11173.html

...since the validity of the -MS- tool ( http://www.microsoft..._jpeg_tool.mspx ) is questionable on some systems.


:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 September 2004 - 03:28 PM

FYI...

- http://www.techweb.c..._section=700028
September 24, 2004
"A tool that makes it easy to craft malicious JPEG images then let them loose against vulnerable Windows PCs has appeared, security experts said Friday, leading many to believe an MSBlast-style attack may not be far in the future...Panda Software...said that the tool was a solid clue that a worm exploiting the vulnerability was "imminent"...With a worm and full-scale attack looming, users should patch vulnerable systems immediately. Windows and numerous applications are vulnerable..."
- http://www.pandasoft...px?noticia=5494

:ph34r: :ph34r: :ph34r:

Edited by apluswebmaster, 24 September 2004 - 03:54 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 September 2004 - 11:55 AM

FYI...from the Internet Storm Center:

- http://isc.sans.org/...date=2004-09-26
Updated September 27th 2004 13:11 UTC
"GDI Vulnerabilities: An open letter to Microsoft

Dear Redmond Folks:

...MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I’ve read through it far too many times, and I still understand far too little. Your “GDI Scanning Tool” is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat. [Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]

What about those old gdiplus.dll files that we’re all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.) When a third party vendor wants to distribute a Microsoft DLL with their product, don’t they have to get permission from you? Wouldn’t there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

Please stop treating your customers like idiots and give us information; information that we can use. In other words: Turn on the lights and open the door. We’re ready to come back upstairs now.

-TL "


(I don't think it's possible to improve on that...well said, Tom!)
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 sun

sun

    Member

  • Full Member
  • Pip
  • 75 posts

Posted 27 September 2004 - 02:37 PM

Interesting info, have done the scan and found several file vulnerabilities. is this one patch KB833987 a fix all for windows xp vulnerable program files. The more I read the more confused I get. I look forward to advice. Or did I post to the wrong area? I apologize if I did.

#6 sun

sun

    Member

  • Full Member
  • Pip
  • 75 posts

Posted 27 September 2004 - 08:05 PM

Well I have tried the patch for JPEG exploit and tried the GDI Detection tool and both come up with no remeies or direction of suggested process. NOTHING...just frustration. What is M$ not doing?????????????
Have any other members tried these out?
I have spent 2 days trying to get rid of my vulnerable program files, doing searches etc. and dead ends at every turn.
My family believe that i am the one that has become vulnerable to this virus and they may indeed be correct.
One can't spend their whole days before a rectangular screen and not start wondering to themselves what makes one do this. All just to keep up with insufficiencies of programs that I have spent hard earned ca$h on????????
I would appreciate members comments and experiences. Thankyou

Edited by sun, 27 September 2004 - 08:06 PM.


#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 September 2004 - 06:11 AM

... The more I read the more confused I get

...as do the rest of us, hence the "Open Letter..." from the ISC. You'll just have to wait like the rest of us. 'Lots of company, though. You can stay up-to-date by checking http://isc.sans.org/ regularly.


:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 September 2004 - 02:59 PM

FYI...

JPEG Exploit Hits Usenet, Worm Close Behind
- http://www.techweb.c..._section=700028
September 28, 2004
"An exploit attacking the most recent Windows bug is circulating on Usenet, security experts said Tuesday, that crashes machines, yet another indicator that attackers will chase the vulnerability until they've launched mass mailing-style worm-based attacks. According to the Bugtraq security mailing list, malicious JPEG images have been posted to several adult newsgroups on Usenet. When viewed, these JPEG images crash unpatched Windows XP and Windows 2000 PCs, said the Internet Storm Center in an online advisory. The images tried to download a backdoor Trojan to the victim systems, but were so poorly coded that all that they did was cause a crash..."
- http://isc.sans.org/...date=2004-09-27
MS04-028 Public Exploit Attempts...

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 September 2004 - 05:44 AM

FYI...

AIM - gdi exploit
- http://isc.sans.org/...date=2004-09-28
Updated September 29th 2004 04:32 UTC
"Lawrence Abrams has created a step by step end user documentation for the gdiscan.exe scan tool by Tom Liston.
- http://www.bleepingc...topict3077.html

Many people have asked what to do about dlls being reported as vulnerable to MS04-028. Currently we are recommending they contact the vendor of the product that installed the dll. Some people have had fairly good results copying a non-vulnerable dll over the top of the vulnerable one. If you choose to do that please first backup the vulnerable dll in case your software relies on that specific version of the dll...

The handlers have received several reports that AIM messages are being used to entice users to download and view jpegs that match current signatures for the GDIplus.dll exploit. The basic method is to attach GDI exploits to profiles on AIM. The attacker then sends messages to get the user to go look at the user profile that has a jpg with the gdiplus.dll exploit in it. This is the message being seen "Check out my profile, click GET INFO!"...

We were alerted by Chris Mosby, to two new trojans that exploit the GDIPlus.dll. http://www.sarc.com/...trojan.moo.html Trojan.Moo is a Trojan horse program that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028).

- http://www.sarc.com/...kdoor.roxe.html Backdoor.Roxe is a backdoor Trojan horse program that exploits the Microsoft GDI+ Library JPEG Segment Length Integer Underflow Vulnerability (described in the Microsoft Security Bulletin MS04-028).

A new version of bagle is spreading fast. The From address is spoofed so any SMART antivirus mail portals will NOT respond with "you sent us a virus message".

The subjects seen so far appear to be responses to a email.

RE: blank, hello, thank you!, thanks :), hi

The body of the message is a smiley :) or :))

Attachments have an extension of .exe, .src, .com or .cpl. and the first part of the name is joke or price. We have received several copies of bagle.az.mm.whokeeps changingtheversionnumberbetweenAVvendorssonoonereally knowswhichversionanygivenvendordetects..."

.

Edited by apluswebmaster, 29 September 2004 - 03:59 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 Cloudcroft

Cloudcroft

    TAMU '76

  • Full Member
  • Pip
  • 38 posts

Posted 29 September 2004 - 11:17 AM

Last night I saw the posts concerning this exploit, so I downloaded and ran GDIScan.exe. It pointed out vulnerabilities on my computer, so I went to the Microsoft website and did a search for the exploit. I downloaded several patches, and reran the scan. Still had several vulnerable dll's. Ran windows update, found a new version of .Net Framework and the GDI detection tool. After downloading those, the detection tool directed me to the webpage concerning the vulnerability, which directed me to run Office Update. I did everything it recommended, it said I didn't need any updates, but when I run GDIScan, it says I still have vulnerable dll's in Microsoft products. I believe one was in Microsoft Office, or Works. (working from memory). How do I fix that?

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 September 2004 - 12:19 PM

...How do I fix that?

You may have missed this in the "Open letter to Microsoft" (see above post in this thread):

...Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat. [Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]...Please stop treating your customers like idiots...

...waiting on M$ to respond with some answers. Even the ISC is waiting. So it appears we all have to.

However, in the post made just prior to yours is something that -might- work for you:

...- http://isc.sans.org/...date=2004-09-28
Updated September 29th 2004 04:32 UTC
"Lawrence Abrams has created a step by step end user documentation for the gdiscan.exe scan tool by Tom Liston.
- http://www.bleepingc...topict3077.html

Best of luck with it.

:ph34r:

Edited by apluswebmaster, 29 September 2004 - 12:27 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 Cloudcroft

Cloudcroft

    TAMU '76

  • Full Member
  • Pip
  • 38 posts

Posted 29 September 2004 - 01:29 PM

Thanks. I guess I meant that as a rhetorical question. :D

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 October 2004 - 09:50 PM

FYI...

New Phishing System Takes Advantage of JPEG Bug
- http://www.eweek.com...a=136324,00.asp
October 1, 2004
"Symantec Corp.'s Threat Analyst Team has discovered an exploit in the wild that utilizes the recently announced JPEG vulnerability in Microsoft Corp.'s GDI+ library to install a new and sophisticated phishing system. eWEEK.com spoke with Oliver Friedrichs, senior manager of Symantec Security Response, who said the infected image is not able to attack a system from within Internet Explorer or Outlook, but only from within Windows Explorer, the file system browsing utility. Therefore, an attacker would likely need to entice a user to view the file from within the file system. This was the most feared scenario for this vulnerability. Because of the nature of this particular attack, as a heap-based integer underflow vulnerability, implementations of the attack are likely to be specific to the application, perhaps even versions of the application, in which the image is viewed. Friedrichs says that it may not be possible to exploit the vulnerability from within Outlook or Outlook Express...

The message itself is a phishing message appearing to come from Citibank and asking the user to go to a specified Web site to confirm personal data or else, so the message claims, access to the user's account will be blocked. The body of the message itself is not text, but an image map, presumably to make it more difficult for counter-measures to work. Instead of scanning for text in the message, patterns in or checksums of the image will have to be employed, although these are often easily defeated with slight randomization of the body of the image. If the user clicks on the link portion of the image, he or she is brought to a Web page residing on a system belonging to a Comcast user. The page brings up a browser window in the background with the actual Citibank home page to give the appearance of legitimacy and a popup in the foreground belonging to the attacker. The popup requests personal information...Symantec believes that the attackers were not novices and had prepared this phishing system in advance, waiting for a suitable vulnerability to come along and be used as a hook for installing the phishing attack. The sophisticated multistage attack will likely reappear in improved form as the attackers learn from their experience with it."

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 05 October 2004 - 06:50 PM

FYI...

- http://www.eweek.com...a=136026,00.asp
By Larry Seltzer - eWeek
"...As Tom Liston pointed out in an open letter to Microsoft, the company's scanning tool for vulnerable programs takes a very narrow view of the problem. It doesn't look generically for the problem. I myself found a better scanning tool;
I call it "DIR C:\GDIPLUS.DLL /S" ...It finds all copies of GDIPLUS.DLL on the system and displays their dates.

The file date isn't a guarantee that a file is or isn't vulnerable, and I don't know if you can just copy new, fixed versions to the locations of the vulnerable ones.

Unlike with a browser or e-mail client, most third-party GDIPLUS programs don't work with arbitrary images from arbitrary sources (this is my guess, but I feel good about it). So how do you get the exploit to the images that third-party applications use?

The answer is expensive in terms of network and CPU time, but what's a worm to do other than propagate itself? The worm needs to search out on the computer on which it's running and the network to which it is attached for JPEG files and modify them to include the exploit. This would require the user of the exploited computer to have write privileges to these files, and it would probably leave an audit trail of the modification, but who cares? It's the user of the computer, not the author of the worm, who gets in trouble..."

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 October 2004 - 04:59 AM

FYI...

- http://isc.sans.org/...date=2004-10-07
Updated October 8th 2004 07:09 UTC
"...Vulnerable GDI dlls in unexpected places
One writer sent in:
I downloaded the GDI+ detection-tool from <http://isc.sans.org/gdiscan.php> and it reported a vulnerable file:

Directory of C:\Program Files\Microsoft Works 06/20/2002 03:23 AM 1,708,036 gdiplus.dll - Compare to the "patched" file, in other folders: 08/04/2004 12:56 AM 1,712,128 gdiplus.dll

Microsoft Works 7, rather than Microsoft Office, is installed.

The Microsoft detection-tool did *NOT* identify that "Microsoft Works 7" has this vulnerability. D'oh!<sic> The Microsoft "home-page" for MS Works does not document this vulnerability. D'oh!<sic>

So, it's time to check all your associates' computers, looking to patch this vulnerability within that software, because Microsoft is doing a sloppy job of identifying this vulnerability. Thanks for that tasty tidbit!..."
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 October 2004 - 09:06 AM

FYI...from the Internet Storm Center:

- http://isc.sans.org/...date=2004-10-09
Updated October 10th 2004 00:26 UTC
"We're receiving yet more reports of successful social engineering attacks and GDI+ JPEG attacks that cause a UPX'ed and Morphine'd trojan horse (Gaobot, SDbot, RxBot) to be installed, and the resultant botnet used for typical nefarious purposes.

Most current AntiVirus packages don't properly unpack these binaries, and don't detect them terribly well. There are also reports that some of them are interfering with automated AV update procedures.

Patches applied to both the computer itself and the user at the console should be sufficient. If you have the facility to capture, or block, IRC traffic to unknown IRC servers (sometimes not on port 6667/tcp, either), you can potentially disrupt the botnet..."

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 October 2004 - 02:06 AM

FYI...

Security Update for JPEG Processing (GDI+)
- http://www.microsoft...00409_jpeg.mspx
Updated: October 12, 2004 <<<
"...Microsoft Security Bulletin MS04-028 was re-released on October 12, 2004, to address an issue that prevented some updates originally released on September 14, 2004, from installing on computers running Windows XP SP2. If you use Windows XP SP2 and if you installed the original updates for Visio 2002, Project 2002, or Office XP, you should return to the Office Update Web site to install the revised updates..."
- http://office.micros...te/default.aspx

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#18 Silver

Silver

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 October 2004 - 10:36 AM

Hi. I am new here, and I hope I'm posting this in the right place. Seems to be. Last night I was updating some stuff on windows, and the 3rd one wanted me to accept a user agreement, and then came up with a warning that my computer could have security vunerabilities, and asked if I wanted more information on it. I clicked no, because I was tired, and didn't want to deal with it right then. It came up with another window that said pretty much "are you sure? Here's a site to look at" and I wrote it down in case the weird feeling I had about the whole thing was unfounded.

Anywho, I got into work this morning, and my co-worker was on the verge of a breakdown. His computer wouldn't do anything, explorer wouldn't run right, even in safe mode. He's a VERY computer savvy person, so he knows what he's doing. He said that he chose to download all the updates, and clicked on Yes on that first window, and then :wacko: (his computer crashed). No good. He is trying to back up his files right now, and I think him and the IT guy are going to reformat the whole thing.

I don't know why this happened, but I'm glad I didn't click on it on my computer. I don't have an IT guy at home. It doesn't seem like its Window's fault, but it did happen with an update.

Ack! I have updates ready to install on this computer!!! Run away!!

Any info and advice would be MUCH appreciated. Thank you!!

Edited by Silver, 15 October 2004 - 10:36 AM.


#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 October 2004 - 12:29 PM

FYI...

- http://www.us-cert.g...html#jpegbuffer
Summary of Security Items from October 6 through October 12, 2004
"A buffer overflow vulnerability exists in the processing of JPEG image formats, which could let a remote malicious user execute arbitrary code. Frequently asked questions regarding this vulnerability and the patch can be found at: - http://www.microsoft...n/ms04-028.mspx

Another exploit script has been published.

Vendor & Software Name
Microsoft .NET Framework 1.x, Digital Image Pro 7.x, 9.x, Digital Image Suite 9.x, Frontpage 2002, Greetings 2002, Internet Explorer 6, Office 2003 Professional Edition, 2003 Small Business Edition, 2003 Standard Edition, 2003 Student and Teacher Edition, Office XP, Outlook 2002, 2003, Picture It! 2002, 7.x, 9.x, PowerPoint 2002, Producer for Microsoft Office PowerPoint 2003, Project 2002, 2003, Publisher 2002, Visio 2002, 2003, Visual Studio .NET 2002, 2003, Word 2002; Avaya DefinityOne Media Servers, IP600 Media Servers, S3400 Modular Messaging, S8100 Media Servers

Microsoft JPEG Processing Buffer Overflow - CVE Name: CAN-2004-0200"

>>> Note to "Silver": Check the -details- of the updates, and let us know what they are...
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 October 2004 - 10:38 AM

FYI...

Scan & Repair Infected Jpegs - New Tool / posted by chachazz
- http://www.spywarein...showtopic=32246

...Thank you! ;)
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button