Twenty Year Anniversary

wmedia.skin.txt

wmedia.skin.txt
Posted May 9, 2003
Authored by Jouko Pynnonen | Site klikki.fi

Windows Media Player versions 7 and 8 are vulnerable to a directory traversal attack when skin files are downloaded from Internet. The vulnerability allows malicious users to upload an arbitrary file to an arbitrary location when a victim user views a web page.

tags | advisory, web, arbitrary
systems | windows
MD5 | 29c1ca44e838d70bd75e8ead3c24ff0e

wmedia.skin.txt

Change Mirror Download



OVERVIEW
========

Windows Media Player versions 7 and 8 are vulnerable to a directory
traversal attack when skin files (*.WMZ) are downloaded from Internet.
The vulnerability allows malicious users to upload an arbitrary file to
an arbitrary location when a victim user views a web page.

When Media Player 7 or 8 is installed, Internet Explorer opens skin files
without confirmation from the user. Thus, an attacker can exploit the
vulnerability when the victim visits a malicious web page. The ability to
upload files can be used to run arbitrary code on the victim system in
several ways.

As most other Internet Explorer vulnerabilites, this one can be exploited
via Outlook (Express) e-mail if the security zone setting is set to
"Internet zone". In recent versions, this is not the default case.



DETAILS
=======

When Internet Explorer encounters a document having the MIME type
"application/x-ms-wmz", it starts up wmplayer.exe with the "/layout"
command line switch which instructs Media Player to download a skin file
from the specified URL to the Media Player's Skins folder. To prevent
certain Internet based attacks, the program uses a random element in the
download path so that the exact file name of the downloaded skin file
can't be guessed by a potential attacker.

Due to a flaw in Media Player this measure can be circumvented with
hex-encoded backslashes in the URL. If an appropriate URL is crafted,
the exact download folder can be chosen.

If the filename doesn't end with ".WMZ", Media Player normally adds this
extension to the file. However, if the Content-disposition HTTP header is
used in a certain way, this restriction can be circumvented and also the
extension can be freely chosen. The attacker may thus place files with any
name and extension to any location on the local disks (and network shares
the user has access write access to). The attacker can not automatically
overwrite previously existing files; in this case a confirmation is asked
from the user.

There are numerous ways of exploiting this vulnerability to run arbitrary
code:

* codebase related attacks can be done by placing a HTML help, Java
applet, a script, or similar file to the local filesystem and
redirect Internet Explorer to its location

* a configuration file with malicious content might be uploaded for a
program which by default doesn't have a configuration file

* uploading a DLL or EXE file to a carefully chosen folder might cause
Internet Explorer or other program to use the attacker-supplied DLL
or EXE instead of the original file - e.g. a program might use a DLL
uploaded to C:\WINNT instead of C:\WINNT\SYSTEM32 and vice versa.

* the attacker may place programs in the Startup folder so that it
would be started on the next reboot


Finding other attack vectors is left as an excercise to the reader. The
demonstration I set up for the vendor uploads a Java class file to
%SYSTEMROOT\Java\Trustlib\ and uses an applet tag to start it. The class
becomes "trusted" due to its location and is allowed to contain native
DLL calls. Now it can e.g. download an EXE program from Internet and
start it.

Windows Media Player version 9 doesn't seem to contain the flaw.

If Windows Media Player is not installed and a WMZ file is encountered,
Internet Explorer will usually suggest an automatic installation of
version 7 (Install on Demand).



SOLUTION
========

Microsoft was notified about the vulnerability on March 14, 2003. A
bulletin and patch correcting the issue has been released. They are
available at

http://www.microsoft.com/technet/security/bulletin/

Microsoft has classified this vulnerability as critical.

It should be noted that changing File Types settings at My Computer ->
Tools -> Folder Options doesn't seem to work as an workaround. WMZ files
are opened automatically regardless of them. Disabling this behavior
can probably be done by manually editing the registry.



CREDITS
=======

The vulnerability was discovered by Jouko Pynn├Ânen of Online Solutions
Ltd, Finland.



--
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
jouko@solutions.fi http://www.solutions.fi http://www.secmod.com


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    2 Files
  • 23
    Apr 23rd
    17 Files
  • 24
    Apr 24th
    35 Files
  • 25
    Apr 25th
    14 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close