Results 1 to 14 of 14

Thread: Did Microsoft build a backdoor in all windows os's? Looks like it... read more

  1. #1
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506

    Did Microsoft build a backdoor in all windows os's? Looks like it... read more

    Oh my!!!

    This is breaking news folks

    Steve Gibson has hacked the code in the WMF vulnerablillity and pushes the idea that the code is written in intentionally and could not be a mistake in code.

    WOW

    rad here,
    Leo and I carefully examine the operation of the recently patched Windows MetaFile vulnerability. I describe exactly how it works in an effort to explain why it doesn't have the feeling of another Microsoft "coding error". It has the feeling of something that Microsoft deliberately designed into Windows. Given the nature of what it is, this would make it a remote code execution "backdoor". We will likely never know if this was the case, but the forensic evidence appears to be quite compelling.

    listen to the mp3 disscussion,
    http://media.grc.com/sn/SN-022.mp3

    going to think had on this


    later

    egghead
    ------------------------------------------------------------



  2. #2
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    bump!

    must listen to the mp3 disscussion! very interesting how the code was written to do this...

    this flaw is in every version of windows and will get through to your computer even breaking past your firewall

    this is the thing that makes you go hmmm. BTW no patch plans for win 95, 98, and millenium..... ooops

    forgot to post a link to grc.com

    http://www.grc.com/default.htm

    my bad
    Last edited by egghead; January 14th, 2006 at 02:06 AM.
    ------------------------------------------------------------



  3. #3
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    14,045
    "every version of windows".

    Why did it take him so long to discover it then.

    =========== Please Read The Forum Rules ===========

  4. #4
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    hrere is the transcript for those othout speakers

    it really is a fascinating read......

    http://www.grc.com/sn/SN-022.txt

    it seems like their is an unlock code and that triggers the exploit or backdoor

    it was harmless since you must visit a website for it to work but since it is now in the open it is no doubt being exploited by coolwebsearch (speculation) and who knows how many other advertisers and data funnellers
    ------------------------------------------------------------



  5. #5
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Check this out! From the transcript

    LEO: And by the way, even if Microsoft doesn't consider it critical, certainly everybody else does, including the users who are susceptible to this.

    STEVE: Well, and there's still millions of Windows 9x and ME systems out there, I mean, actively on the Internet, that are now in some sort of unknown limbo state. So over the weekend I rolled up my sleeves and sort of switched into what was really hacker mode. You know, normally I'm writing code. Now it's like, okay, I'm going to sort of follow in Ilfak's footsteps. And I wanted to acquire an understanding of exactly what this problem was in order to determine for myself first if, in fact, these older versions of Windows were actually vulnerable. And then, if so, I would certainly have a head start on how to cure that vulnerability.

    So I started with what was known, which was the vulnerability in our existing versions of Windows, you know, 2000, XP, and so forth, and basically created from scratch my own GRC-style vulnerability testing tool. And, you know, there was, you know, code snippets from the hacking sites. And Ilfak had in fact published the source for his tester. Mine ends up working differently because, again, I wrote it from scratch. I have a different approach. But I had a hard time getting this vulnerability to trigger. I was creating metafiles. I was using this, you know, this Escape/SETABORTPROC procedure that we knew was sort of the vector of exploitation. Mine wasn't working. And...

    LEO: And this is in Windows 98 you're talking about.

    STEVE: No, this is Windows 2000.

    LEO: Oh, you couldn't even get it in 2000.

    STEVE: I removed the patch from my system, and I could not get the exploit to trigger using a metafile that I created with my own code. It just, you know, it came back and said it could not play the metafile, but it wouldn't run any of my own code. So, you know, I scratched my head. I looked at, you know, at the other samples of malicious metafiles. And, you know, the way a metafile is built is there's a header, a set of bytes that's the header that talks about what version of Windows it's using, how large the whole metafile is, what the size of the largest metafile record contained within the metafile is, sort of gives Windows some orientation for the subsequent processing of these metafile records. Then you have a series of metafile records where each one starts out with a four-byte size of that record in words, then a two-byte function number which is what type of metafile record this is, then followed by between zero or however many data that function requires. So it's pretty straightforward.

    Well, it turned out that, first of all, the way this Escape function was working was it didn't strike me as, like, erroneous. That is, what this Escape/SETABORTPROC function does, the idea is that when an application is printing to the printer, it creates something called a Device Context. I've got to get a little bit tricky here with Windows terminology. But, you know, everyone will be able to follow along. It creates something called a Printer Device Context where things like the thickness of the pen, the color of the pen, the size of the paper, sort of all the things that are about the context of this printing page are stored. So once the application has a page ready, it turns it over to Windows and says, okay, here, go print this. And essentially it's done with that page, and it gets on about its business, for example, maybe getting the next page ready to hand over to Windows to print.

    The problem is, what if the user aborted that page, that is, aborted the printing of the page, after it had been handed over to Windows? Since the application that's doing the printing has already turned responsibility for the printing over to Windows, there's really no way for Windows to say, hey, oops, just want to let you know the user canceled your print job. So this SETABORTPROC is a means for giving that printer context, that printer device context, a subroutine that Windows can call back in the application. It's called a "callback," in fact, because Windows calls back the application to notify it if the user or something causes an abort of the print job. So, you know, that's what that is. It's well understood. It makes complete sense in a printer device context.

    LEO: So my understanding of it and the general understanding of it has changed a little bit. It is just simply a callback routine that's designed for aborting a printing process so that you can callback the calling program.

    STEVE: Yeah. Basically you're giving Windows a pointer. You're giving Windows a pointer to a subroutine in your code and telling Windows, if the user aborts the print job, and I've given you a pointer, then call that subroutine of mine, which is a way for Windows to notify the application. That's what that is.

    LEO: Right.

    (continued below)
    ------------------------------------------------------------



  6. #6
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    (continued)

    STEVE: Well, okay. First of all, it makes no sense at all in a metafile device context. In the context of processing a metafile, setting a printer abort is crazy because it's not a printer context. You don't print metafile contexts in this way. It's just not the way it's done in Windows. So it doesn't make sense. But it's like, okay, well, so maybe, you know, it's there anyway; they didn't think to remove it or take it out. Except that, when I was pursuing this and finally got it to work, what Windows did when it encountered this Escape function, followed by the SETABORTPROC metafile record, was it jumped immediately to the next byte of code and began to execute it. That is, it was no longer interpreting my metafile records record by record, which is the way metafiles are supposed to be processed. You don't actually execute the metafile. As we said before last week, and I think the week before, it's sort of a script. It's a script of Windows graphics calls that allow you to specify, you know, draw a rectangle from here to here, draw a line from there to there. And it's in a nice sort of device-independent fashion. So you don't run the code in the metafile. But what Windows did when it encountered this particular nonsensical sequence was to start executing the next byte of code in the metafile.

    LEO: Hmm.

    STEVE: And it's like, okay, wait a minute.

    LEO: Why?

    STEVE: You know, that's crazy. But what's even more crazy is what it took for me to make it do this. As I said before, each record in a metafile begins with a four-byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size. Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one.

    LEO: And why were you experimenting? Isn't the exploit well known and documented, and isn't there exploit code floating around?

    STEVE: No. I mean, what we've got, Leo, is a bunch of misunderstanding and sort of strange half explanations. I mean, you know, and frankly...

    LEO: So none of the hacker sites have exploit code up.

    STEVE: Oh, no, many of them do. But no one is really looking - see, they don't care about how Windows is working. They just want to get their code to run.

    LEO: Right.

    STEVE: And so, you know, because I'm a developer when I'm not being a hacker, I wanted to understand - oh, and the other thing is, I want to write a robust testing application, you know, that always works all the time. So I wanted to know, like, okay, what bytes have to be set which way, what matters, what doesn't. Because, you know, that's the way you get something that is as solid as, you know, the code that I put out from GRC. So what I found was that, when I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code. Okay, Leo? This was not a mistake. This is not buggy code. This was put into Windows by someone. We are never going to know who. We're never going to know - well, actually I'm going to find out when because we're going to know when this appeared because this appeared - I'm guessing this is not in older versions of Windows, which is why this function - or if it is in older versions of Windows, it's done slightly differently. I'm still on the hunt.

    So this is not my last report on this. I expect to have a much better sense for this a week from now. But the only conclusion I can draw is that there has been code from at least Windows 2000 on, and in all current versions, and even, you know, future versions, until it was discovered, which was deliberately put in there by some group, we don't know at what level or how large in Microsoft, that gave them the ability that they who knew how to get their Windows systems to silently and secretly run code contained in an image, those people would be able to do that on remotely located Windows machines...

    LEO: So you're saying intentionally or - Microsoft intentionally put a backdoor in Windows? Is that what you're saying?

    STEVE: Yes.

    LEO: Well, that's a pretty strong accusation. Could this not have been a...

    STEVE: Well, it's the only conclusion...

    LEO: It couldn't have been a mistake?

    STEVE: I don't see how it could have been a mistake. Again, I'm going to continue to look at it. But from what I've seen now, this had to be deliberate. It was not what we were led to believe. Well, and it's funny, too, because then I thought, okay, wait a minute, Microsoft has lied to us. I reread the original vulnerability spec in, you know, their vulnerability page. And they never say this isn't the case. I mean, they describe it as a vulnerability, which it certainly is. Nowhere, you know, is even what I'm saying contradicted by their page.

    Egghead says: Hmmmmm...............
    ------------------------------------------------------------



  7. #7
    Platinum+ Member bhxtyrant's Avatar
    Join Date
    Jan 2005
    Posts
    729
    Thats a very interesting read guys,thanks for the post.I will have to check out the video a little later.Makes me wonder if this was indeed deliberate...whats else could be hidden in the windows OS's that havent been discovered yet...

  8. #8
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    I don't believe MS ever contested that it was a fault - they said it was a feature. Whether it was put in for nefarious purposes or not we may never know but if you think MS put it in as a backdoor perhaps you might think about how 'connected' PCs were back then.

    Certainly in the Windows 3.1 and 95 era most PCs did not have access to the Internet and so a backdoor access would have limited purpose. If you think it is news that MS may be able to hack your computer remotely then think about this - how do you check the Windows Updates that you install?

    If you are going to read GRC you need to be grown up about it - Steve likes to sensationalise things and gets carried away a bit, though I am sure he has good intentions.
    I'm using Windows 7 - you got a problem with that?

  9. #9
    Banned Aloone_Jonez's Avatar
    Join Date
    Dec 2005
    Posts
    58
    Hmm, even though I'm no MS supporter I'm not sure, I doubt it's intentional I don't see why MS would do this, if it was spyware I might but I don't see any other reason for this apart from buggy code.

    WMF has been around since Windows 3.0 (maybe even before) and it hasn't been updated much since it's one of those legacy things I suppose.

    Over at Microsuck we were suspicious of MS because Windows doesn't delete the index.dat files when you as Internet Explorer to delete the temporary Internet files we thought it was a conspiracy but later this was proved to be wrong it was just poor programming..

  10. #10
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by Curio
    I don't believe MS ever contested that it was a fault - they said it was a feature. Whether it was put in for nefarious purposes or not we may never know but if you think MS put it in as a backdoor perhaps you might think about how 'connected' PCs were back then.

    Certainly in the Windows 3.1 and 95 era most PCs did not have access to the Internet and so a backdoor access would have limited purpose. If you think it is news that MS may be able to hack your computer remotely then think about this - how do you check the Windows Updates that you install?

    If you are going to read GRC you need to be grown up about it - Steve likes to sensationalise things and gets carried away a bit, though I am sure he has good intentions.
    I agree totally with you. Microsoft is always thinking ahead with features. It is very strange though that the feature allows a remote user to execute code simply by displaying a picture.......

    Just to add to conspiracy theories hehe. I never surf gov sites

    haha

    ------------------------------------------------------------



  11. #11
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,333
    Quote Originally Posted by egghead
    Just to add to conspiracy theories hehe. I never surf gov sites

    haha

    stings are very convincing, you'd never know it was the officials, its not above the government to run a porn site.

    good luck egg....

    haha


  12. #12
    Triple Platinum Member hotmale's Avatar
    Join Date
    Mar 2004
    Location
    Lebanon
    Posts
    961
    Did Microsoft build a backdoor in all windows os's?
    You never know what these companies have in mind. For instance, what the hell is Google going to do with all the private information they're collecting?

  13. #13
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,638
    Now where did I park the Black Helicopter?


  14. #14
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899

    Gibbo 'Off On One' - Official

    Mark Russinovich from sysinternals has had a look at the WMF file format and a look at SGs analysis. Interesting reading for GRC lovers I dare say.
    Take a peek here http://www.sysinternals.com/blog/200...-backdoor.html
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •