Jump to content

Intentional windows backdoor?

Fr33m4n

By Fr33m4n
in Technology News

 Share

Recommended Posts

Fr33m4n

Fr33m4n

Posted
Posted (edited)

I'll let this speak for itself:

Flash: Steve Gibson has been working with the WMF vulnerability and is now convinced that this is an intentional backdoor into Windows added by Microsoft.

Microsoft has patched the WMF vulnerability in Windows 2000 and XP, but in his research for a fix for Windows 95/98/Me Steve has come up with a blockbuster. It is his considered opinion that the WMF vulnerability could not have been a mistake. It was an intentional backdoor inserted into Windows by Microsoft for reasons unknown. Listen for details.

Podcast:

http://thisweekintech.com/sn22

click "main feed"

Transcript:

http://www.grc.com/sn/SN-022.htm

So over the weekend I rolled up my sleeves and sort of switched into what was really hacker mode. . . . And I wanted to acquire an understanding of exactly what this problem was in order to determine for myself first if, in fact, these older versions of Windows were actually vulnerable. And then, if so, I would certainly have a head start on how to cure that vulnerability.

So I started with what was known, which was the vulnerability in our existing versions of Windows, you know, 2000, XP, and so forth, and basically created from scratch my own GRC-style vulnerability testing tool. . . . I was using this, you know, this Escape/SETABORTPROC procedure that we knew was sort of the vector of exploitation. Mine wasn't working. And... I removed the patch from my system, and I could not get the exploit to trigger using a metafile that I created with my own code.

Well, it turned out that, first of all, the way this Escape function was working was it didn't strike me as, like, erroneous. That is, what this Escape/SETABORTPROC function does, the idea is that when an application is printing to the printer, . . .It is just simply a callback routine that's designed for aborting a printing process so that you can callback the calling program.

First of all, it makes no sense at all in a metafile device context. In the context of processing a metafile, setting a printer abort is crazy because it's not a printer context. You don't print metafile contexts in this way.

what Windows did when it encountered this Escape function, followed by the SETABORTPROC metafile record, was it jumped immediately to the next byte of code and began to execute it.

You know, that's crazy. But what's even more crazy is what it took for me to make it do this. . . .Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

This was not a mistake. This is not buggy code. This was put into Windows by someone.

What do you make of this? Some people hate the guy, other's love him. But I don't think he would do this purely as a publicity stunt.

EDIT!

Perhaps I should add something from wikipedia before you all freak out:

It is well known that the WMF vulnerability stems from an intentional feature in the design of WMF that allows code to be embedded into WMF images; this code is executed when the image is viewed. The original purpose of this was mainly to handle the cancellation of print jobs during spooling. This is a feature that has extreme security implications in the context of the Internet, but is from another time (Windows 95), when MS had very little interest in networking beyond trusted internal corporate environments. Over the years this code has lived on in Windows without being reviewed in the current context of Internet connectivity.

http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

That means that most of this had a purpose but what is still a factor is the fact that you have to set the file size to 1 in order to get this to run. That seems very spesific and delibarate to me.

Edited by Fr33m4n
Link to comment
Share on other sites

CptMurphy

CptMurphy

Posted
Posted (edited)

Anytime a person takes the time to find exploits in an operating system that roughly 75-85% of the population uses, he/she should be commended for bringing it to light. Because if it wasn't him it would've been some black hat hacker who would steal your info. Funny thing is, win media player doesn't play that test file. It's switch over to quicktime.

Edited by m3n70r
Link to comment
Share on other sites
atomizer

atomizer

Posted
Posted

well, there's a lot to be said about gibson's credibility - evidently the security community as a whole shuns him from what i've read. myself, i think he's a marketeer. i mean, come on, coding a utility to disable the messenger service? that's nothing more than a marketing ploy to attract attention to his website.

however, it's still interesting and i wouldn't doubt that MS, or someone at MS, with or without their knowledge, coded this intentionally. however 'ol stevie boy has been proven wrong in the past. we'll see...

Link to comment
Share on other sites
Synapse

Synapse

Posted
Posted

i agree with Prathapml, i read that it has been in windows since version 3.1, its how the windows operating system knew that the printer job has been canceled, and hasn't been removed since. but now that someone found this "exploit" they've removed it.

Link to comment
Share on other sites
Synapse

Synapse

Posted
Posted
according to gibson, the 'feature' or vulnerability - whatever you wanna call it - had nothing to do with canceling print jobs.
Well, it turned out that, first of all, the way this Escape function was working was it didn't strike me as, like, erroneous. That is, what this Escape/SETABORTPROC function does, the idea is that when an application is printing to the printer, it creates something called a Device Context. I've got to get a little bit tricky here with Windows terminology. But, you know, everyone will be able to follow along. It creates something called a Printer Device Context where things like the thickness of the pen, the color of the pen, the size of the paper, sort of all the things that are about the context of this printing page are stored. So once the application has a page ready, it turns it over to Windows and says, okay, here, go print this. And essentially it's done with that page, and it gets on about its business, for example, maybe getting the next page ready to hand over to Windows to print.

The problem is, what if the user aborted that page, that is, aborted the printing of the page, after it had been handed over to Windows? Since the application that's doing the printing has already turned responsibility for the printing over to Windows, there's really no way for Windows to say, hey, oops, just want to let you know the user canceled your print job. So this SETABORTPROC is a means for giving that printer context, that printer device context, a subroutine that Windows can call back in the application. It's called a "callback," in fact, because Windows calls back the application to notify it if the user or something causes an abort of the print job. So, you know, that's what that is. It's well understood. It makes complete sense in a printer device context.

Link to comment
Share on other sites
atomizer

atomizer

Posted
Posted

@Bi0haZarD

maybe i'm wrong. put it this way: according to what i read (i read the whole thing), i got the impression that the exploit itself has nothing to do with canceling a print job, nor printing at all. maybe i'm interpreting it wrong, but that's my impression. did you read the rest of it too? here's what i mean...

Steve: I've looked back over all the documentation. I can't find anything about this documented anywhere. Okay, then I said - I played my own devil's advocate. Okay, so code is running in the metafile. Wouldn't that be useful? Wouldn't it be useful if a metafile could contain executable code, sort of as an undocumented feature? Microsoft never got around to writing about it; but they said, oh, this would be cool, and we'll use the SETABORTPROC. Notice that SETABORTPROC, it was just, I mean, this has nothing to do with printer aborting. It was just sort of a - it was a value that they had handy from other processing, and they sort of reused it. But this has got nothing to do with aborting printing. So it almost helped with the obfuscation and sort of, you know, the plausible deniability, except that this wasn't a coding mistake. And, you know, you even had to put the magic key into the length of the record in order to get this to work. And that was protection from somebody's metafile having a SETABORTPROC metafile record in it and tripping over this backdoor by mistake.
Link to comment
Share on other sites
suryad

suryad

Posted
Posted

Never heard of that guy but I have my messenger service disabled...just to let you know and I didnt need a utility to do it. The thing is though I honestly think that there is a backdoor in XP. I think it is left there intentionally for the US government to spy on whomever they like. I think the Patriot Act is quite evident of that. Like for example encryption schemes that are available for free for the Joe user to download and encrypyt his/her communications. You really expect me to believe that the researchers working for the government dont have a key to open up all the encryption schemes employed by end users? I think MS has had to leave a backdoor open as prob does Linux and other operating systems. Of course I dont have any facts to back up my argument other than look at the current administration and consdier if my idea is as far fetched in reality.

Link to comment
Share on other sites
atomizer

atomizer

Posted
Posted

@suryad

far fetched? no, i don't think so. i disagree with your Linux statement however - the source code is there for everyone to see. not to say it hasn't been done in FOSS before (because it has according to what i've read), but code like that doesn't last long. someone is going to catch it.

Link to comment
Share on other sites
CptMurphy

CptMurphy

Posted
Posted

Well, to be honest, dammed near every programmer leavs a backdoor. Simply so that he can reconfigure his program at will without having to go through a bunch of steps. But the government does use some serious encryption. Either 1024 or 2048 bit encryption. It'd take a supercomputer centuries to crack that code.

Link to comment
Share on other sites
Synapse

Synapse

Posted
Posted

@atomizer from post #9

i believe you may be correct, but we see 2 sides of a conflicting matter. My post says it's used for printing, yours says it's not, yet its said by the same guy.

I'm no programmer that uses dllcalls and all that advanced stuff, so i can't say as a "fact" of what it does, or how it works.. or even what its purpose is.

i've heard many stories about this Escape() function in GDI32.dll and not sure whats true about it anymore. can't even google for a simple answer cause the first 50 pages are nothing but talk about that exploit lol.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...