WMF Vulnerability is an Intentional Backdoor?

An anonymous reader writes "Steve Gibson alleges that the WMF vulnerability in Windows was neither a bug, nor a feature designed without security in mind, but was actually an intentionally placed backdoor. In a more detailed explanation, Gibson explains that the way SetAbortProc works in metafiles does not bear even the slightest resemblance to the way it works when used by a program while printing. Based on the information presented, it really does look like an intentional backdoor." There's a transcript available of the 'Security Now!' podcast where Gibson discusses this.

Re:Another?

How about a link to information on the "other" intentional back doors that exist?

*looks at clipboard*

Ok Goatse linkers, thats your cue.

Re:Another?

Actually, it's pretty well known that that isn't what happened at all [schneier.com].

Re:Another?

You mean the urban legend [cnn.com] about an NSA backdoor? There was *never* any evidence of a backdoor, only a registry key named "NSAKEY" and a bunch of paranoid fantasy. Because, you know, if the NSA did have a secret backdoor, they'd make sure is was called NSAKEY, in case they forgot where it was, or something.

Reflections on Trusting Trust

I'm surprised nobody's trotted out Reflections on Trusting Trust [acm.org], by Ken Thompson. Not only does this discuss a backdoor, but also a backdoor that can't be found by examining the source code.

Waif

where you waif that right.

I really think kate moss doesn't have anything to do with this, despite the recent press tizzy.

I would not be suprised at all.

I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.

Its happened before and it will happen again. Whether this is the case remains to be seen.

Re:I would not be suprised at all.

I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.

The problem with that argument is that in order to exploit this backdoor you'd have to get the target computer to load a WMF file. The main practical way to do this would be to embed it in a web page and have the target visit that page. The only sites that all windows machines access on a regular basis are Microsoft's. The employee would also have to have access to Microsoft's web site to exploit this reliably.

This seems to be only useful if MS itself wanted to use it. Use your imagination as to what they'd do with it. I can think of all kinds of things.

Re:I would not be suprised at all.

Actually, Gibson is saying he doesn't know if previous versions are exploitable or not. In fact he's counting on not, since that's the only way to determine when the "backdoor" was inserted. Gibson is a bomb thrower. There's no evidence other than his opinion that this is a deliberate backdoor.

Re:I would not be suprised at all.

Furthermore, if Gibson is so sure of himself, why isn't his own test utility available to everyone?

Eh? I just downloaded it, it's linked to from here [grc.com].

Re:I would not be suprised at all.

The only sites that all windows machines access on a regular basis are Microsoft's.

I presume you are willing to show the details of your extensive research that determined this factoid....

Re:I would not be suprised at all.

I'm not quite sure why they'd want to use it. End-users already trust Microsoft implicitly because they made the operating system, so if they wanted to, for instance, install some software on all Windows machines that reports home if it detects a pirated copy, they could just do it through a service pack update. Most people would willingly install it (or click the little automatic button in Windows Update), and there'd be none of this Tom Clancy technothriller intrigue.

I can't personally think of any kind of official reason why Microsoft would want to shove code onto Windows machines just from visiting their website. They've got tons of other ways of doing this.

Re:I would not be suprised at all.

I could see someone deliberatly doing this, maybe a contractor or a disgruntled employee.
- How about a totally stupid idea that MS thought was good?

I mean MS has a long history of ignoring security for usability, lock in and whatnot. WMF dates back to close to 10 years, back when MS really didn't give a damn about security. Even after a the big Gates propaganda email and Trusted Computing Initiative and all the hoopla, XP SP2 allows blank passwords for administrators, the user created during installation is an administrator, again if password is blank no one gives a shit. Remote registry is on by default. RPC on by default. Administrative shares are on by default. Not to mention a plethora of completely useless services.

MS just doesn't understand security. This WMF example is nothing different. It's some ancient code that never got looked at. Add to that the fact everyone and his mother is root, AND that the OS is a big bowl of spaghetti (hi2u IE deep in kernel), you get another attack vector vs Windows systems.

Did someone maliciously implement this WMF "feature"? I doubt it. It looks like another regular MS security hole that shows that MS has no clue about security.

Re:blank admin password

Get a clue, troll-

If you're going to accuse someone of trolling, you want to be pretty sure about your facts.

if you have a blank admin password, XP prevents ANY remote network access using that account.

Hmmmn, thats an interesting band-aid.

You are actually more secure with a blank password.

Really? More secure with a blank password? I doubt it.

Would make privilige escalation pretty damn easy after you'd hacked a user account.

And it makes all that least priviliged user stuff that MS goes on about a little irrelevant too.

Re:blank admin password

Hmmmn, thats an interesting band-aid.

Must be a pretty recent band-aid, too, since I deloused an XP computer exactly one year ago that had a blank admin account password, and which had been pwned by a worm that spread precisely by trying to log into everything it could see using administrator/[blank].

Re:I would not be suprised at all.

I thought this as well, but if you RTFA, you would see that Gibson doesn't think the SetAbortProc WMF exploit works the way it should.

According to the docs, SetAbortProc should provide a pointer to callback function that is called when a print is aborted. This in itself sounds like a security hole, but it could only be fired if the print is canceled, and then it can only run a preexisting callback method, not arbitary code.

According to Gibson, if you call SetAbortProc with a special key, it will instantly start running arbitary code from within the WMF. No cancelled print or preexisting method calls are requried.

If Gibson is correct, this bug is much different then how it looks on the surface.

Re:I would not be suprised at all.

Someone mentioned on Groklaw that the exploit also exists in wine which just implements the WMF spec.

NSA

Well, how else is the NSA going to fight terrorism?

Government backdoor?

There was talk about the NSA/CIA having a close relationship with Microsoft and being able to exploit backdoors in Windows. This could have all been conspiracy theories, but the fact that this vulnerability existed throughout the Windows line kinda seems odd..

If this isn't a glaring example on why you should support open source, I don't know what is....

Re:Government backdoor?

but the fact that this vulnerability existed throughout the Windows line kinda seems odd.

The function in question has existed for a long time. The exploit is in Windows 2000 and more recent. From the transcript:

But the only conclusion I can draw is that there has been code from at least Windows 2000 on, and in all current versions, and even, you know, future versions, until it was discovered, which was deliberately put in there by some group, we don't know at what level or how large in Microsoft, that gave them the ability that they who knew how to get their Windows systems to silently and secretly run code contained in an image, those people would be able to do that on remotely located Windows machines...

Re:Government backdoor?

Paraniod speculation. Much like the current story.

Re:Government backdoor?

Actually, Bruce Schneier's analysis is somewhat different.

http://www.schneier.com/crypto-gram-9909.html#NSAK eyinMicrosoftCryptoAPI [schneier.com]

The fact is, the majority of the people making claims about this don't even understand what it does. The majority of the speculation isn't possible. It doesn't give anyone (Not even Microsoft, much less the NSA) a backdoor into your computer.

Re:Government backdoor?

First you have to understand what the ramifications of this are likely to be.

The NSA is (in theory at least) legally forbidden to spy on Americans. Their main mission involves cryptoanalysis (codebreaking) and signal intelligence. So they spend a lot of time in foreign countries evesdropping on cell phone calls and the like. They have also been very much involved in the development of computerized cryptography (witness their role in the creation of DES). In this latter case, they have probably attempted to balance their interests in codebreaking with the legitimate interests in algorythmically secure encryption (i.e. make DES algorythmically secure, but shorten the key so we can break it if we really have to).

The rise of independant professional cryptography organizations, like RSA, Inc. has created a very serious problem for the NSA in this regard. In general, most of these new systems use variable length keys and are highly peer reviewed for attack potential. So the NSA cannot count on being able to brute force decrypt a document within a reasonable timeframe in the event of a clear and present need to decrypt the information.

Therefore, I believe that most of these are there to allow the NSA to bypass the encryption algorythms in Windows and allow them to access the information without having to attack the encryption. This would make reasonable sense given the NSA history.

Now, I see *no* reason to suppose that the NSA has anything to do with the WMF exploit. Instead, I suggest that this is likely to be a backdoor either put in place by a developer, at the request of a partner (such as the RIAA), etc. This backdoor has *nothing* to do with anything the NSA typically gets involved in, so I think even the most paranoid analysis can rule them out. Instead, this is just a strange attempt to allow the Media Player to be subverted and used in what ever way an attacker decides.

Now, Microsoft's response to this has been inadequate (they only grudgingly developed a patch), which suggests that this backdoor had the blessing of the company, much like the response to the Sony DRM rootkit which was undetected by agreement with First4Internet. Lest I appear to be too hard on Microsoft, I found Symantec's response ("Oh, we will start removing it" when First4Internet claims they were working with Symantec to ensure that it would not be removed) to be far less trustworthy.

Anyway, there is enough doubt in my mind about Microsoft's goodwill on these areas that I would not suggest running Windows in any environment that absolutely requires security. The system has fundamental design flaws from a security point of view, and these problems continue to underscore either serious development issues at Microsoft or an attitude that the security of the customer is not really that important.

Re:You're on

Like that'd be a tough thing to do [grcsucks.com]...

Re:Unparalleled BS from MS.

I't a lot like the Allied soldiers who were fighting in Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.

It's nothing like that actually, you are comparing apples to supernovas.

~S

Re:Unparalleled BS from MS.

It's nothing like that actually, you are comparing apples to supernovas.

It's worse, actually. He's comparing security holes to concentration camps.

Re:Unparalleled BS from MS.

Germany, being told all these horror stories about how evil the Nazis actually were, and then coming upon a concentration camp and finding out that these stories were real after all.

The stories Allied soldiers were told about the nazis paled in comparison to what they saw in the camps. Allied propagandists didn't have the imagination to come up with anything like the holocaust.

-jcr

(OT) Re:Unparalleled BS from MS.

The problem encountered by those reporting on the concentration camps was that in the FIRST world war, everybody got exposed to extreme propaganda depicting all germans as vile creatures. When the exaggerations and lies were brought to light, the public had then learned to seriously doubt such extreme accusations. It could be argued that when the reports from Jan Karski (an eyewitness to the ghetto and concentration camp conditions) were dismissed, it was due to that legacy of doubt in 1943.

The reporting during WWI damaged the credibility of all reporting during WWII.

jcr (53032): Allied propagandists didn't have the imagination to come up with anything like the holocaust.

They most certainly did have the imagination, but they realized that they did not have a willing audience for such accusations. Successful PR cannot be had with seemingly wild claims, especially if the organization has been shown to greatly overexaggerate in the past.

Length==1

This does look awfully like a special-case trigger. The idea of a backdoor is to have it look for a specifically crafted but completely nonsensical and invalid input sequence -- this serves as the "key" to the backdoor, ensuring that no other designer or user accidentally stumbles onto it. Since we assume that legitimate users and developers will only provide valid input, we design our "key" to be definitely invalid. For me, that length==1 trigger is the most convincing evidence. It's not just that it's the wrong input, it's that it's the one specific value of wrong input that triggers the behavior. That seems like design.

Re:Length==1

Obviously SetAbortProc should not be implemented for WMF playback, but assuming somebody screwed up and just called the normal version of Escape(), could the behaviour we're seeing here not somehow be the result of not checking the validity of the length parameter properly, performing some arithmetic on it, and possibly falling through to some other code that happens to a jump or call?

Re:Length==1

You're right, of course. Everyone who's saying this is "obviously" intentional are jumping the gun in a big way. I've got $5 right here that says it's an accident.

"Never ascribe to malice that which is adequately explained by incompetence."