IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Seems very unlikely to me
If Gibson's understanding of the coding vunrability is right then I agree with him, it's very hard to think that it is a coding mistake. It strikes me as also very unlikely that somebody as MS intentionally left such a backdoor in Windows.

My guess would be that some programmer at MS put the backdoor in on his own because it was handy for debugging something he was working on or some such and it never got taken out.

Jay
New But thats just as bad
especially in light of the code freeze and review.

It should have been caught...but wasn't (which he covers).

I would not be hard-pressed to believe that there are several of these, there on purpose and that this one simply "got found out".

Sort of like easter eggs...only with a completely different purpose (NSA or otherwise).

If you push something hard enough, it will fall over. Fudd's First Law of Opposition

[link|mailto:bepatient@aol.com|BePatient]
New Do I unnderstand this right?
I heard it had to do with printing images, and the ability to abort a print job. Is that appropriate to put in the image code, and not the printing code?

I guess for really large files on older hardware it could take a while to finish converting it into a printable format and you'd want to be able to interrupt it. But wouldn't it make more sense <question class="from ignorance">to spawn a thread for the printing, and if you receive the interrupt from the printing system you just kill that one thread?<question>
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
New did $MS understand multithreading when they wrote it?
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 50 years. meep
New It is part of that
I guess for really large files on older hardware it could take a while to finish converting it into a printable format and you'd want to be able to interrupt it. But wouldn't it make more sense <question class="from ignorance">to spawn a thread for the printing, and if you receive the interrupt from the printing system you just kill that one thread?<question>

The function in question is the one a program uses to tell Windows that you want that interrupt and where you want that notification send in your program.

But this function not for the conversion phase, it is for the actual printing part. This is to handle the case where the program is done with the printing entirly, but the physical pages are not done coming out of the printer. This lets the program get notification if the print job is stopped after the program is done with it.

As for why the function exists at all for WMF and display routines, it is because of Windows unified drawing subsystem. Windows, in theory, has one set of drawing functions that are used for all output contexts. WMF are really just a way of storing those drawing commands in a file, and thus WMFs have access to the same functions as display and printer routines.

Jay
New No.
He was using the explanation of printing VS viewing as a reason why MS MIGHT have screwed up and done it by accident.

If a file is going to the print subsystem, there is the possibility that the job will need to be aborted after the hand-off. So there is the ability to drop a callback into the file that will allow the print subsystem to check if it has been aborted. The callback is a 4 byte address in the submitting program's memory space, which hold a routine, and will tell the print subsystem whether the job should be aborted.

This is a different.

In this case, there is an illegal instruction in the wmf file that is VERY unlikely to be there by accident. It essential saya that the length of the data to follow is 1 byte, but since it is dealing in words is must be at LEAST 4 bytes. Combined that with the abort instruction. And then, rather than jump to a callback (which would be appropriate if this was a mistake, ie: cut-and-paste of the underlying code that make no sense for viewing rather than printing), start executing code contained within the image file.

This also means there is no return to current operation, since the stack is destroyed,
New I would say not quite as bad
Of course, I would also say it is the difference between criminal negligence and homicide. Either way it is a crime.

Jay
New Microsoft have an explanation.
And I believe it's credible.

[link|http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx|http://blogs.technet...01/13/417431.aspx]

To detail it a little bit, SetAbortProc functionality was a needed component in the graphics rendering environment for applications to register a callback to cancel printing, before even the WMF file format existed. ... Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume. The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function.


He goes on to say that IE's WMF execution would not recognise the function class that SetAbortProc is in, but there are simple ways to trick it into running such a WMF file via another program anyway.

It looks like a case of a very old and still very useful low-level Windows function that is still around but the landscape around it has changed so much that it's causing problems.

Wade.
"Insert crowbar. Apply force."
Expand Edited by static Jan. 18, 2006, 01:02:33 AM EST
New Artful Dodging
That's not why Gibson thought it was a back door. The back door part comes in when you realize that the SetAbortProc functionality only works in a WMF when you explicitly (and incorrectly) set the content size to 1.

BTW, fix your link, please.
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
New Link fixed.
Actually, I think MS and Gibson are talking past each other. This MS guy is asserting that Gibson is basically wrong to think of it as a backdoor. OTOH, Gibson seems to have found a genuine bug in the parsing of a WMF, if an incorrect length of 1 can trigger that behaviour. It'd be interesting to see his counter-response (he hasn't posted one yet).

Wade.
"Insert crowbar. Apply force."
New I like how that "blog" doesn't allow comments, too.
Regards,

-scott anderson

"Welcome to Rivendell, Mr. Anderson..."
New If it's brought forward from legacy stuff . . .
. . how come legacy Windows isn't vulnerable? The features enabling the vulnerability were introduced in Windows 2000 and XP.
[link|http://www.aaxnet.com|AAx]
New Dang. Beat me to it. That was my first thought.
bcnu,
Mikem

It would seem, therefore, that the three human impulses embodied in religion are fear, conceit, and hatred. The purpose of religion, one might say, is to give an air of respectibility to these passions. -- Bertrand Russell
New No default program for WMF = No "critical" vulnerability
--
Chris Altmann
     Steve Gibson: "WMF flaw was a deliberate back door". - (Andrew Grygus) - (30)
         He needs to adjust his tinfoil IMHO -NT - (altmann) - (9)
             He's got a pretty good case - (bepatient) - (8)
                 Yup - (broomberg)
                 Is there more in it that what was in the transcript? - (altmann) - (3)
                     Where'd you find a transcript? - (jb4) - (2)
                         On GRC - (Another Scott)
                         Podcast is just an MP3 -NT - (drewk)
                 A guy over at SysInternals is said to be . . . - (Andrew Grygus) - (2)
                     Sysinternals verdict: Not a back door - (altmann) - (1)
                         Just stupidity and incompetence, eh? SOP for M$. -NT - (n3jja)
         Seems very unlikely to me - (JayMehaffey) - (13)
             But thats just as bad - (bepatient) - (5)
                 Do I unnderstand this right? - (drewk) - (3)
                     did $MS understand multithreading when they wrote it? -NT - (boxley)
                     It is part of that - (JayMehaffey)
                     No. - (broomberg)
                 I would say not quite as bad - (JayMehaffey)
             Microsoft have an explanation. - (static) - (6)
                 Artful Dodging - (admin) - (1)
                     Link fixed. - (static)
                 I like how that "blog" doesn't allow comments, too. -NT - (admin)
                 If it's brought forward from legacy stuff . . . - (Andrew Grygus) - (2)
                     Dang. Beat me to it. That was my first thought. -NT - (mmoffitt) - (1)
                         No default program for WMF = No "critical" vulnerability -NT - (altmann)
         Interesting "analysis" / Guess-of-motives - (Ashton) - (5)
             Shields up is a waste of time. - (pwhysall) - (4)
                 Elitist smugness - (Ashton) - (3)
                     Whatever, Ash. - (pwhysall) - (2)
                         Sorry Ash, but Peter is right here. -NT - (inthane-chan)
                         I acknowledge those valld criticisms. - (Ashton)

You entered famous last wordsburg territory thinking along that line.
207 ms