Wed, 04 Jan 2006 20:43:28 +0000, Ian Kenefick
<ian_kenefick@eircom.netwrote:

>This patch also works on Windows 9x/ME.

LL! That should drive Virus Guy absolutely nuts! :)
He'll no doubt try to assasinate the author of such
blasphemy, so Paolo had better watch out!

Art

http://home.epix.net/~artnpeg

Wed, 04 Jan 2006 21:14:19 GMT, louise <louise@nospam.comwrote:

>Win XP Pro - would this patch be preferable to the hexblog one?

Who knows? At least Ilfak's patch has received wide expert scrutiny
and acceptance. Stick with it.

Art

http://home.epix.net/~artnpeg

IT WRKS N WIN9X :)

You know, that's really lame.

I mean, ok, sure, you install a helper who's only purpose is to
intercept a handfull of calls to GDI32. Sure, such a mechanism will
work on 9X. Doesn't mean that it will ever get used, even if the
computer it's installed is exposed to dozens of problem wmf files (and
I know it doesn't matter if the file has a wmf extension on it or
not).

Again, it has yet to be shown by anyone how a typical installation (or
any installation) of Win-98 attains the ability to know what to do
with a wmf file.

But I'll throw you guys a bone.

Microsoft Photodraw turns out to be the program that is registered to
handle wmf files on Win-98 machines if you went whole-hog and
installed the whole shooting match.

(at least I think it's part of 2000. If not, then it must have
come from MSDN).

Anyways, I don't think there's enough integration between IE and
Photodraw that would result in WMF rendering within a browser process.

By the way - GDI32 having a problem or vulnerability doesn't by itself
mean that a Win-98 PC is vulnerable. It also needs an associated
process that is called to handle and disect the wmf file (or what-ever
it's fake extension is) and perform the vulnerable call to GDI32.

You people don't seem to realize that Win-98 has no native handler for
wmf files.

Wed, 04 Jan 2006 19:35:22 -0500, Virus Guy <Virus@Guy.comwrote:

>
>IT WRKS N WIN9X :)
>
>You know, that's really lame.
>
>I mean, ok, sure, you install a helper who's only purpose is to
>intercept a handfull of calls to GDI32. Sure, such a mechanism will
>work on 9X. Doesn't mean that it will ever get used, even if the
>computer it's installed is exposed to dozens of problem wmf files (and
>I know it doesn't matter if the file has a wmf extension on it or
>not).
>
>Again, it has yet to be shown by anyone how a typical installation (or
>any installation) of Win-98 attains the ability to know what to do
>with a wmf file.

So contact Paolo then and ask him why he wasted his time with Win 9X.
And ask MS when they finally release a patch (presumably) for 98.
I could mention several other expert sources as well whom you believe
are deluded and totally mistaken. But I know it won't do any good :)
It's a shame, since you (and the rest of us) might actually learn
something in the process.

Art

http://home.epix.net/~artnpeg

Art wrote:

So contact Paolo then and ask him why he wasted his time with
Win 9X.

I'd like to ask him why it takes a 1 mb file to perform this
function. I'd like to ask why was his fix packed inside a
self-installer that I can't unpack for myself.

And how do we know he "wasted" his time with Win-98? How do we know
there are different versions of the interceptor buried inside
"install.exe" or if a single file works across 9X/NT platforms?

Wed, 04 Jan 2006 20:22:48 -0500, Virus Guy <Virus@Guy.comwrote:

>Art wrote:
>
>So contact Paolo then and ask him why he wasted his time with
>Win 9X.
>
>I'd like to ask him why it takes a 1 mb file to perform this
>function. I'd like to ask why was his fix packed inside a
>self-installer that I can't unpack for myself.
>
>And how do we know he "wasted" his time with Win-98? How do we know
>there are different versions of the interceptor buried inside
>"install.exe" or if a single file works across 9X/NT platforms?

Why not ask him the real question at hand? Why does Win 98 require
a fix? That's what you wanted to know, wasn't it?

Art

http://home.epix.net/~artnpeg

Art wrote:

I'd like to ask him why it takes a 1 mb file

How do we know there are different versions

Why not ask him the real question at hand? Why does Win
98 require a fix? That's what you wanted to know, wasn't it?

Too many suppositions here.

Some guy names Paolo comes out with an installable "service" that
intercepts the problematic calls to GDI32. We _learn_ that the
"service" is compatible with Win-98 (although it was more than likely
written with Win-NT-5.x in mind)

What we don't know is

1) Did Paolo craft a special Win-98 compatible version of this
service? or

2) Did Paolo craft a single version of this service, and it just
happens to be Win-98 compatible?

If (1) or (2) is true, then we still don't know if Win-98 ->needs<-
the service. Just because Paolo did (or did not) take special care to
make the service compatible with Win-98 doesn't mean he has some
special knowledge that Win-98 ->needed<- the service.

The task at hand was to write a GDI32 call interceptor. Knowing if
Win-98 was vulnerable to the call was not a pre-requisite to writing
the interceptor.

I'm not a programmer-type under-the-hood Windows expert
but I've tended many Windows boxes since Windows 3.0
in small office environments.

I've been following the discussions on whether Win98
is vulnerable to the recent WMF exploits and just for
fun did a bit of impromptu fooling around with the
"browsercheck.wmf" file found at:

It doesn't seem to do anything to my Win98 machine.
Seems to me this is because of the lack of WMF file
associations on my machine.

Note that my tests were done with VirusScan
DAT 4663 which does NT see Bloodhound.Exploit.56.

I offer the results of what I found for
what it may be worth. I like Win98 because the
bad guys tend to prefer to play with the latest
MS Ss and McAfee could always be relied upon to
make up the difference. I can't tell you how many
of my friends, acquaintances, and co-workers have
had their later S home machines trashed, but then
again I know a lot of people who are clueless; all
the more reason I kept the boxes I had responsibility
over an S or two behind the times. I hope recent
events don't put a spotlight on 98 and inspire
the creations of "retro-viruses" so to speak.

My system specs:

Windows98SE 4.10.2222A

Word2000 (9.0.2720)
Express 5 (5.50.4133.2400)
Internet Explorer 6.0.2600.0000IS
Firefox 1.0.7
Image Eye 7.1 (default image viewer)
DataViz Conversions Plus 4
McAfee VirusScan Home Edition 7.00.5000.0
(DAT 4.0.4663 12/30/05)

Results:

doubleclicking on browsercheck.wmf
results in Conversions Plus opening
identifying file as a dbII file and asking
for input on how to open or convert;
viewing or attempting conversion fails
without incident or it asks for a program
to open it with because there are no
associations and you can just cancel.

doubleclicking on
browsercheck.wmf renamed to browsercheck.jpg
results in Image Eye viewer attempt to open
which fails - unknown format

browsercheck.wmf sent as attachment to
intercepted by Earthlink and stripped
indentified as Bloodhound.Exploit.56
I couldn't get around this, so I can't say what
would do if it actually got the attachment,
however

browsercheck.wmf renamed to browsercheck.jpg
sent as attachment to
NT intercepted by Earthlink
displayed as broken icon in viewer pane
attempt to open it identifies file as
c:\windows\Temporary Internet Files\Content.IE5\
XXXXXXX\browsercheck.wmf
"This file does not have a program associated
with it for performing this action. Create an
association in My Computer by clicking Views
and then clicking Folder "

browsercheck.wmf dropped into Word
results in clickable icon
doubleclicking results in embedded object warning
doubleclicking again identifies file as
c:\windows\temp\pkge0e1.wmf
"This file does not have a program associated
with it for performing this action. Create an
association in My Computer by clicking Views
and then clicking Folder "; clicking K
yields: "No Application is associated with this file"

browsercheck.wmf renamed to browsercheck.jpg
dropped into Word
results in clickable icon
doubleclicking results in embedded object warning
doubleclicking again results in Image Eye viewer fails
- unknown format

browsercheck.wmf dropped into Internet Explorer
results in download warning;
telling it to open the file results in
Conversions Plus dialogue box due to lack
of file association

browsercheck.wmf renamed to browsercheck.jpg
dropped into Internet Explorer
results in broken icon

browsercheck.wmf dropped into Firefox
results in download warning
telling it to open the file results in
repeated download warnings

browsercheck.wmf renamed to browsercheck.jpg
dropped into Firefox results in display error

Attempting to import browsercheck.wmf or
browsercheck.wmf renamed to browsercheck.jpg
into Word Clipart fails without problems

Wed, 04 Jan 2006 21:56:05 -0600, Q <boxcars@gmx.netwrote:

>Art <null@zilch.comwrote in
><@4ax.com>:
>
>Why not ask him the real question at hand? Why does Win 98 require
>a fix? That's what you wanted to know, wasn't it?
>
>Wouldn't make a difference if he got an answer to that question. It
>would clearly be "nothing but a lie."
>
>;)

Unfortunately, that's true :(

Art

http://home.epix.net/~artnpeg

Bronx wrote:

"browsercheck.wmf" file

It doesn't seem to do anything to my Win98 machine.
Seems to me this is because of the lack of WMF file
associations on my machine.

I just tried to open that file, as well as "test.wmf" (from the
Internet Storm Center). Both are supposed to start the calculator on
a vulnerable system.

http://sipr.net/test.wmf

I tried to open those wmf files using Microsoft ClipArt Gallery 5.0
(Artgalry.exe). (using CCTASK I see that GDI32.DLL is linked to
Artgalry.exe). In both cases, I get the message:

"Clip Gallery could not create a preview image for (file.wmf) using
the installed graphics import filter or media player for that type.
The file may be corrupted or incompatible with the filter"

Both of those test files open normally in Coreldraw - both seem to
consist of a bunch of random-sized and random-placed rectangles (75 of
them for test.wmf).

When attempting to view those test files under XP - does XP show or
render the files (along with spawning the calculator) - ? Does XP
indicate that the file is mal-formed in any way?

It's still not clear to me if a mal-formed wmf file is supposed to
lead to an instability within GDI32 that (along with executing the
exploit) would lead to a crash of either GDI32 or the process that
called it. If ->something<- is supposed to crash or become unstable
as part of the execution of the vulnerability, then it obviously ain't
happening on my Win-98 system.

An alternative explanation is that these test WMF files have been
designed so that they do not lead to a component crash - or perhaps
they cause a "controlled crash" or exit.