SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Windows Media Player Vendors:   Microsoft
Windows Media Player Executes URLs in Windows Media Files that Have Been Renamed as MP3 Files
SecurityTracker Alert ID:  1003660
SecurityTracker URL:  http://securitytracker.com/id/1003660
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 25 2002
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in Microsoft's Windows Media Player. A remote user can cause web pages to be loaded by the player when playing an apparent MP3 file.

A remote user can create a media file in the Microsoft Windows media format (e.g., *.wma) that contains embedded URLs but is named as an MP3 file (i.e., with a *.mp3 extension). When the file is played by another user's Windows Media Player, the URLs will be executed by the other user's default browser as the media file plays.

This is a normal function of Windows media files. The flaw is that Windows media files with a *.mp3 extension are processed by the player as Windows media files and not MP3 files. The user is not warned of the file format and naming inconsistency.

For information on the URL embedding feature, see:

http://msdn.microsoft.com/library/en-us/dnwmt/html/wmp7_urlflips.asp

Impact:   A remote user can create what appear to be an MP3 file but is really a Windows media files containing URL flips (i.e., URLs that will be executed by the default browser while the media file is playing). Then, when the recipient plays the apparent MP3 file, the URLs will be executed and any embedded scripts will run. Scripts that run will be subject to the restrictions of the appropriate security zone for the referenced web site.

The author of the report (David Korn) gives co-credits to Flaagg (Aaron M. Henne) for discovery of this flaw.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Windows Media Player executes WMF content in .MP3 files.



  I don't know if this is a known vulnerability or not, but it just
happened to a usenet acquaintance of mine:

[ From Message-ID: <MPG.16d20065551d97599897f5@netnews.attbi.com>,
available at http://howardk.moonfall.com/msgid.cgi?ID=101419648800 ]

---begin quote---
My ex sent me an mp3 she'd dloaded on Gnotella:

"lifehouse - hanging by a moment - rare version.mp3"
 
When this file is opened [only works with MS Media player] a *porno* vid 
starts playing, and triggers a MASSIVE amount of pop-up ads. I don't use 
media player as my default, has this been going on all the time? and if 
so does anyone know how they do it?
---end quote---

  Inspection of the file in a hex editor revealed:

[ From Message-ID: <Jgua8.2390$5o.1006831@newsr2.u-net.net>,
available at http://howardk.moonfall.com/msgid.cgi?ID=101419654600 ]

---begin quote---
Hmm.  Here's the file beginning, in hex:

0000: 30 26 b2 75 8e 66 cf 11......

  Now, according to http://home.swipnet.se/grd/mp3info/mp3doc.html,

mp3 frame headers begin with 12 1 bits, so there should be a FF byte
followed by a byte beginning with E or F, so that's not an mp3 frame header.
The first mp3 frame header appears to start at offset 0x0829 where there's
an FF F7 sequence...

  Nor is it a vbr header, nor an ID3 tag, since it doesn't have any readable
ascii words there.

  However, looked at as unicode, I see a lot of stuff like.....

GirlsOntheStreetThisIsRealAskedToHaveSexForMone
WMFSDKVersion 8.00.00.4477
WMFSDKNeeded 0.0.0.0000
URL     http://www.entirelynude.com/bangbus.htm

  So I think we have our answer.  It's a .wmf file with a fake extension,
and stupid old windoze goes and opens it as the type detected from the
contents rather than the type detected from the extension.  This is the same
kind of vulnerability that lets a webserver send an .exe to your browser
with a .wav file-extension in the mime headers and have it auto-run, and
represents a new potential for social-engineering of windoze users.

---end quote---

  The file did indeed have a .mp3 extension; no double-extension trick
was used.

  The WMP version in question is 8.00.00.4477; I haven't tried it myself
to see if it works nor tested older versions.  I thought this might be
a reasonable place to ask if this problem is already widely known ?


     DaveK
-- 
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC