SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Windows Media Player Vendors:   Microsoft
Windows Media Player Skin File Processing Lets Remote Users Write Arbitrary Files to Arbitrary Locations
SecurityTracker Alert ID:  1006718
SecurityTracker URL:  http://securitytracker.com/id/1006718
CVE Reference:   CVE-2003-0228   (Links to External Site)
Date:  May 7 2003
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.x, 8
Description:   A vulnerability was reported in Windows Media Player in the processing of skin files (*.wmz files). A remote user can cause an arbitrary file to be written to an arbitrary location on the target user's computer. This can lead to arbitrary code execution.

According to the report, Internet Explorer (IE) invokes Windows Media Player when processing the "application/x-ms-wmz" MIME type. The wmplayer.exe binary is reportedly executed with the "/layout" command line switch, intended to save the skin file in the Skins folder with a file name based partly on the supplied URL and also partly on a random string. A remote user can create a specially crafted URL with hex-encoded backslashes to cause the system to write the skin file to a specified location on the target user's computer.

The report indicates that if the specified file name already exists, the user will be asked for confirmation. However, no confirmation is required otherwise.

The report also indicates that arbitrary file name extensions can be specified.

Microsoft credits Jouko Pynnonen of Oy Online Solutions Ltd, Finland and Jelmer for reporting this vulnerability.
Impact:   A remote user can cause an arbitrary file to be written to the target user's computer in an arbitrary location. This could be used to execute arbitrary code on the target user's system.
Solution:   The vendor has released a patches. The vendor also reports that Windows Media Player version 9 is not vulnerable.

For Microsoft Windows Media Player 7.1:

http://microsoft.com/downloads/details.aspx?FamilyId=012F143A-77D1-4F6F-9338-5A6332614532&displaylang=en

For Microsoft Windows Media Player for Windows XP (Version 8.0):

http://microsoft.com/downloads/details.aspx?FamilyId=E311DF50-0633-4100-AB37-D7A68D51182F&displaylang=en

The patch can be installed on Windows Media Player 7.1 on Win98, Win98SE, WinME, Win2k and on Windows Media Player for XP.

Microsoft plans to include the fix in Windows XP SP2.

A reboot is not required (unless Windows Media Player is loaded in the background when the patch is installed).

Microsoft plans to issue Knowledge Base article 817787 regarding this issue, to be available shortly on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-017.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents
Subject:  Windows Media Player directory traversal vulnerability





OVERVIEW
========

Windows Media Player versions 7 and 8 are vulnerable to a directory 
traversal attack when skin files (*.WMZ) are downloaded from Internet. 
The vulnerability allows malicious users to upload an arbitrary file to 
an arbitrary location when a victim user views a web page.

When Media Player 7 or 8 is installed, Internet Explorer opens skin files 
without confirmation from the user. Thus, an attacker can exploit the 
vulnerability when the victim visits a malicious web page. The ability to 
upload files can be used to run arbitrary code on the victim system in 
several ways.

As most other Internet Explorer vulnerabilites, this one can be exploited 
via Outlook (Express) e-mail if the security zone setting is set to 
"Internet zone". In recent versions, this is not the default case.



DETAILS
=======

When Internet Explorer encounters a document having the MIME type 
"application/x-ms-wmz", it starts up wmplayer.exe with the "/layout" 
command line switch which instructs Media Player to download a skin file 
from the specified URL to the Media Player's Skins folder. To prevent 
certain Internet based attacks, the program uses a random element in the 
download path so that the exact file name of the downloaded skin file 
can't be guessed by a potential attacker.

Due to a flaw in Media Player this measure can be circumvented with 
hex-encoded backslashes in the URL. If an appropriate URL is crafted, 
the exact download folder can be chosen.

If the filename doesn't end with ".WMZ", Media Player normally adds this 
extension to the file. However, if the Content-disposition HTTP header is 
used in a certain way, this restriction can be circumvented and also the 
extension can be freely chosen. The attacker may thus place files with any 
name and extension to any location on the local disks (and network shares 
the user has access write access to). The attacker can not automatically 
overwrite previously existing files; in this case a confirmation is asked 
from the user.

There are numerous ways of exploiting this vulnerability to run arbitrary 
code:

  * codebase related attacks can be done by placing a HTML help, Java 
    applet, a script, or similar file to the local filesystem and 
    redirect Internet Explorer to its location

  * a configuration file with malicious content might be uploaded for a 
    program which by default doesn't have a configuration file 

  * uploading a DLL or EXE file to a carefully chosen folder might cause 
    Internet Explorer or other program to use the attacker-supplied DLL 
    or EXE instead of the original file - e.g. a program might use a DLL 
    uploaded to C:\WINNT instead of C:\WINNT\SYSTEM32 and vice versa. 

  * the attacker may place programs in the Startup folder so that it 
    would be started on the next reboot


Finding other attack vectors is left as an excercise to the reader. The 
demonstration I set up for the vendor uploads a Java class file to 
%SYSTEMROOT\Java\Trustlib\ and uses an applet tag to start it. The class 
becomes "trusted" due to its location and is allowed to contain native 
DLL calls. Now it can e.g. download an EXE program from Internet and 
start it.

Windows Media Player version 9 doesn't seem to contain the flaw.

If Windows Media Player is not installed and a WMZ file is encountered, 
Internet Explorer will usually suggest an automatic installation of 
version 7 (Install on Demand).



SOLUTION
========

Microsoft was notified about the vulnerability on March 14, 2003. A 
bulletin and patch correcting the issue has been released. They are 
available at

  http://www.microsoft.com/technet/security/bulletin/MS03-017.asp

Microsoft has classified this vulnerability as critical.

It should be noted that changing File Types settings at My Computer -> 
Tools -> Folder Options doesn't seem to work as an workaround. WMZ files 
are opened automatically regardless of them. Disabling this behavior
can probably be done by manually editing the registry.



CREDITS
=======

Ltd, Finland.



-- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
jouko@solutions.fi      http://www.solutions.fi    http://www.secmod.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC