any script to find renamed wmf files?

Discussion in 'Perl Misc' started by ~greg, Jan 2, 2006.

  1. ~greg

    ~greg Guest

    A whole lot of people right now, running Windows,
    need a script to check all the image files already on their
    hard drives to see if any of them are actually renamed .wmf files.

    It should be trivial to write this,
    -if you know what to look for in the files.

    Unfortunately, I don't.

    ~

    (i ask this here, because perl is my preferred language,
    and because i think perl users in general may be
    more familiar with looking inside files
    to determine actual file type (?))
     
    ~greg, Jan 2, 2006
    #1
    1. Advertising

  2. ~greg

    ~greg Guest

    found a description of Microsoft Windows Metafile format.
    here:

    http://www.whisqu.se/per/docs/wmf.htm


    However I don't know exactly what shimgvw.dll
    (or gdi32.dll, or whatever else is inovlved)
    is looking for that makes it decide
    that a .jpg or .gif is really a .wmf,
    and then "run" it.


    ------------------------------------------


    "~greg" <> wrote in message news:...
    >
    > A whole lot of people right now, running Windows,
    > need a script to check all the image files already on their
    > hard drives to see if any of them are actually renamed .wmf files.
    >
    > It should be trivial to write this,
    > -if you know what to look for in the files.
    >
    > Unfortunately, I don't.
    >
    > ~
    >
    > (i ask this here, because perl is my preferred language,
    > and because i think perl users in general may be
    > more familiar with looking inside files
    > to determine actual file type (?))
    >
    >
    >
    >
    >
    >
    >
    >
    >
     
    ~greg, Jan 2, 2006
    #2
    1. Advertising

  3. ~greg

    MSG Guest

    ~greg wrote:
    > found a description of Microsoft Windows Metafile format.
    > here:
    >
    > http://www.whisqu.se/per/docs/wmf.htm
    >
    >
    > However I don't know exactly what shimgvw.dll
    > (or gdi32.dll, or whatever else is inovlved)
    > is looking for that makes it decide
    > that a .jpg or .gif is really a .wmf,
    > and then "run" it.
    >
    >
    > ------------------------------------------
    >
    >
    > "~greg" <> wrote in message news:...
    > >
    > > A whole lot of people right now, running Windows,
    > > need a script to check all the image files already on their
    > > hard drives to see if any of them are actually renamed .wmf files.
    > >
    > > It should be trivial to write this,
    > > -if you know what to look for in the files.
    > >
    > > Unfortunately, I don't.
    > >
    > > ~
    > >
    > > (i ask this here, because perl is my preferred language,
    > > and because i think perl users in general may be
    > > more familiar with looking inside files
    > > to determine actual file type (?))
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >
    > >

    I am afraid that you have completely missed the point of this whole wmf
    issue:
    Your existing wmf files are ok if your Windows has not already been
    infected. The bad ones come from outside. So the work-around never
    calls for renaming files. Instead you unregister the dll file.
    Perl won't help you for that matter.
     
    MSG, Jan 2, 2006
    #3
  4. ~greg

    l v Guest

    ~greg wrote:
    > A whole lot of people right now, running Windows,
    > need a script to check all the image files already on their
    > hard drives to see if any of them are actually renamed .wmf files.
    >
    > It should be trivial to write this,
    > -if you know what to look for in the files.
    >
    > Unfortunately, I don't.
    >
    > ~
    >
    > (i ask this here, because perl is my preferred language,
    > and because i think perl users in general may be
    > more familiar with looking inside files
    > to determine actual file type (?))


    ImageMagick's identify command will list a file's format regardless of
    it's name.

    Len
     
    l v, Jan 2, 2006
    #4
  5. ~greg

    Shane Guest

    On Mon, 02 Jan 2006 12:04:00 -0800, MSG wrote:

    >
    > ~greg wrote:
    >> found a description of Microsoft Windows Metafile format. here:
    >>
    >> http://www.whisqu.se/per/docs/wmf.htm
    >>
    >>
    >> However I don't know exactly what shimgvw.dll (or gdi32.dll, or whatever
    >> else is inovlved) is looking for that makes it decide
    >> that a .jpg or .gif is really a .wmf, and then "run" it.
    >>
    >>
    >> ------------------------------------------
    >>
    >>
    >> "~greg" <> wrote in message
    >> news:...
    >> >
    >> > A whole lot of people right now, running Windows, need a script to
    >> > check all the image files already on their hard drives to see if any
    >> > of them are actually renamed .wmf files.
    >> >
    >> > It should be trivial to write this,
    >> > -if you know what to look for in the files.
    >> >
    >> > Unfortunately, I don't.
    >> >
    >> > ~
    >> >
    >> > (i ask this here, because perl is my preferred language, and because i
    >> > think perl users in general may be more familiar with looking inside
    >> > files to determine actual file type (?))
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >

    > I am afraid that you have completely missed the point of this whole wmf
    > issue:
    > Your existing wmf files are ok if your Windows has not already been
    > infected. The bad ones come from outside. So the work-around never calls
    > for renaming files. Instead you unregister the dll file. Perl won't help
    > you for that matter.


    Ive read today that unregistering what was thought to be the guilty dll
    wont save you, and another is under suspicion (gotta love closed source,
    feeling round in the dark trying to figure out which file is making you
    vulnerable)

    http://www.viruslist.com/en/weblog?discuss=176892530&return=1
    Going back to the wmf vulnerability itself, we see number of sites mention that
    shimgvw.dll is the vulnerable file.
    This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll
    has been unregistered and deleted. The vulnerability seems to be in
    gdi32.dll.

    So while unregistering shimgvw.dll may make you less vulnerable, several attack
    scenarios come to mind where the system can still be compromised.
    It has to be noted that in this case the attack vector of web browsers
    seems significantly smaller than that of explorer+third party programs.



    --
    <Overfiend> penis jokes are okay in mixed company. VMS is NOT!!!
     
    Shane, Jan 2, 2006
    #5
  6. ~greg

    Dr.Ruud Guest

    Dr.Ruud, Jan 3, 2006
    #6
  7. ~greg schrieb:

    > found a description of Microsoft Windows Metafile format.
    > here:
    >
    > http://www.whisqu.se/per/docs/wmf.htm
    >
    >
    > However I don't know exactly what shimgvw.dll
    > (or gdi32.dll, or whatever else is inovlved)
    > is looking for that makes it decide
    > that a .jpg or .gif is really a .wmf,
    > and then "run" it.
    >
    >
    > ------------------------------------------
    >


    Hello Greg, you may have a look at

    http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html
    *** and ***
    http://www.hexblog.com/2005/12/wmf_vuln.html

    The first one describes a check utility
    (http://www.hexblog.com/security/files/wmf_checker_hexblog.exe)
    the second one a hotfix
    (http://www.hexblog.com/security/files/wmffix_hexblog14.exe).

    Highly recommended.
    Ilfak Guilfanov is the author of theses tools, he's a renowned windows
    expert.

    Kind regards - Gerhard Sprenger.
     
    Gerhard Sprenger, Jan 3, 2006
    #7
  8. ~greg

    ~greg Guest

    "l v" <> wrote in message news:...
    > ~greg wrote:
    >> A whole lot of people right now, running Windows,
    >> need a script to check all the image files already on their
    >> hard drives to see if any of them are actually renamed .wmf files.
    >>
    >> It should be trivial to write this,
    >> -if you know what to look for in the files.
    >>
    >> Unfortunately, I don't.
    >>
    >> ~
    >>
    >> (i ask this here, because perl is my preferred language,
    >> and because i think perl users in general may be
    >> more familiar with looking inside files
    >> to determine actual file type (?))

    >
    > ImageMagick's identify command will list a file's format regardless of
    > it's name.
    >
    > Len


    ----------------------------------------

    Thank you all for your responses.

    ( Normally I only respond to responses
    on the 2nd Tuesday of each month,
    but this calls for an exception.)


    I see that ImageMagick would do what I asked for. Thank you.
    (--I may get around to installing it some day, --even though
    there must be some good reason why ActiveState doesn't provide it.
    (--maybe something to do with gif-laws?))


    I found however that there is (-of course) a module
    targeted at the specific task, --namely File::MMagic:

    use File::MMagic;
    my $MM = new File::MMagic;
    print $MM->checktype_filename("Untitled.jpg");

    __END__

    That printed
    "image/gif"
    for me, since I'd renamed an "Untitled.gif" to "Untitled.jpg" before running it.

    (for Windows Meta Files it responds with:
    application/octet-stream

    which is good enough for me, although it should probably respond with:
    application/x-msmetafile
    or
    image/x-wmf
    or something like that.)


    (I changed those file-extensions just to check if MMagic actually looks at the
    "magic" header-bytes to determine file-type (as its name - "MMagic" -suggests)
    or only looks at file-extensions to determine file type.

    This was because something I'd read by someone who'd read the doc
    said he was left unsure about that. I think that was because MMagic
    *can* consider file-extensions, and because he was using perl on Windows
    and "knew" that Windows only ever goes by file-extension.
    (Someone more used to shebang (sharp-bang: #!) type environments might
    have made the opposite assumption.)


    That's the heart of the problem though.

    MSG said he was afraid that I
    "have completely missed the point of this whole wmf issue:"

    And, normally, that'd be a safe assumption about me.
    (I know about malware only in principle, not in detail.
    My interest has never gone in that direction.

    But this case is quite different.
    This case is easy to understand.
    (Much easier even than buffer-overruns etc)

    As everyone should know by now the problem is not in shimgvw.dll.

    But neither is it in the archaic 16-bit function in gdi32.dll,
    (the heart of windows) that lets arbitrary code run.

    And it's not in the Paint program, or any other program that
    renders wmf files with the gdi32.dll, and so might render evil.

    Because if that was all there was to it, then you'd just treat
    wmfs exactly like exes, - with filters and permissions.
    Or disabling them altogether.


    The real problem is of course that
    a wmf --- can be a jpg.
    Etc.

    The real problem is this:
    "MIME Type Detection in Internet Explorer"

    http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp

    it's Windows going by:
    quote:

    1) The server-supplied MIME type, if available
    2) An examination of the actual contents associated with a downloaded URL
    3) The file name associated with the downloaded content (assumed to be derived from the associated URL)
    4) Registry settings (file extension/MIME type associations or registered applications) in effect during the download
    ...
    quote:
    FindMimeFromData
    contains hard-coded tests for (currently 26) separate MIME types
    (see Known MIME Types). This means that if a given buffer contains data
    in the format of one of these MIME types, a test exists in FindMimeFromData
    that is designed (by scanning through the buffer contents) to recognize
    the corresponding MIME type.

    Etc.

    ~greg
     
    ~greg, Jan 5, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jonas
    Replies:
    1
    Views:
    3,307
    Daniel Fisher\(lennybacon\)
    Aug 12, 2005
  2. Ganesh Palaniappan

    SVG-WMF or PNG-WMF conversion

    Ganesh Palaniappan, Apr 10, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    2,295
    =?ISO-8859-15?Q?Lo=EFc_Carr=E8re?=
    Apr 13, 2006
  3. wmf question

    , May 19, 2004, in forum: Python
    Replies:
    0
    Views:
    370
  4. Jackie Wang

    dealing with emf/wmf files

    Jackie Wang, Jun 24, 2007, in forum: Python
    Replies:
    1
    Views:
    362
    Michael Hoffman
    Jun 24, 2007
Loading...

Share This Page