Re: [Full-disclosure] security notice: Backdooring Windows Media Files



Could someone send me the POC's please if you have a local copy.
Gnucitizen.org is not accessible for me.

Thanks


----- Original Message -----
From: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>
To: "Memisyazici, Aras" <arasm@xxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, September 19, 2007 12:30 AM
Subject: Re: security notice: Backdooring Windows Media Files


yes, of course :) but u are running Windows Media Player 11 which is
not the default one for Windows XP SP2. Moreover, this Media Player
edition is not slipped through any software update either. Therefore,
if you are not a Media Player fan, you will never get this version on
a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes
I am vulnerable.

On 9/18/07, Memisyazici, Aras <arasm@xxxxxx> wrote:
Hi pdp!

Great admirer of your work :) I just wanted to inform you that I have
tested your claim, on a fully patched/updated Win XP SP2 system with an
admin account logged in, and was warned sufficiently(asked whether I
wanted to play asx files, then asked if I was sure by Media Player, then
pop-up was blocked by IE), while the page you tried to produce was
blocked via IE's pop-up blocker.

You can see/confirm this by viewing these screenshots:

http://preview.tinyurl.com/34xpcz
(http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png )

and

http://preview.tinyurl.com/34jx5v
(http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png )

This was tested on a plain/manila/vanilla version of XP SP2. All I did
was update/upgrade to latest available from M$ Update.

Sincerely,
Aras Memisyazici
IT/Security/Dev. Specialist

Outreach Information Services
Virginia Tech

-----Original Message-----
From: pdp (architect) [mailto:pdp.gnucitizen@xxxxxxxxxxxxxx]
Sent: Tuesday, September 18, 2007 11:58 AM
To: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: security notice: Backdooring Windows Media Files

http://www.gnucitizen.org/blog/backdooring-windows-media-files

It is very easy to put some HTML inside files supported by Window
Media Player. The interesting thing is that these HTML pages run in
less restrictive IE environment. I found that a fully patched windows
XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open
any page of your choice in IE even if your default browser is Firefox,
Opera or anything else you have in place. It means that even if you
are running Firefox and you think that you are secure, by simply
opening a media file, you expose yourself to all IE vulnerabilities
there might be. Plus, attackers can perform very very interesting
phishing attacks. I prepared a simple POC which spawns a browser
window in full screen mode... Think about how easy it is going to be
to fake the windows logout - login sequence and phish unaware users'
credentials

http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02
.asx

On the other hand Media Player 11 (Vista by default) is not exposed to
these attacks.

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org



--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Codec-Problem
    ... dass auf Ihrem Computer der Windows Media Player in der neuesten Version installiert ist. ... Klicken Sie bitte anschließend auf. ...
    (microsoft.public.de.german.windowsxp.multimedia)
  • Re: Recording from Media Player
    ... *then* connect to your radio station in media player. ... Recorder" while playing the audio tape from the internet on Windows Media ... The recorder faintly picked up some of the sound that was picked up ...
    (microsoft.public.windowsmedia)
  • Re: How to playback "Magic of Flight.mpg"?
    ... MS Windows XP SP2 Media Player ... writes that it does not have a codec to playback the file. ... Media Player to play the file, although a codec download may be ...
    (rec.video.desktop)
  • RE: security notice: Backdooring Windows Media Files
    ... on a fully patched/updated Win XP SP2 system with an ... wanted to play asx files, then asked if I was sure by Media Player, then ... Subject: security notice: Backdooring Windows Media Files ...
    (Bugtraq)
  • Re: [Full-disclosure] security notice: Backdooring Windows Media Files
    ... on a fully patched/updated Win XP SP2 system with an ... wanted to play asx files, then asked if I was sure by Media Player, then ... Subject: security notice: Backdooring Windows Media Files ...
    (Full-Disclosure)