[NT] Windows Media Player Directory Traversal Vulnerability (WMZ)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/03
- Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in SLWebMail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 May 2003 20:10:28 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Windows Media Player Directory Traversal Vulnerability (WMZ)
------------------------------------------------------------------------
SUMMARY
Windows Media Player versions 7 and 8 are vulnerable to a directory
traversal attack when skin files (*.WMZ) are downloaded from Internet. The
vulnerability allows malicious users to upload an arbitrary file to an
arbitrary location when a victim user views a web page.
When Media Player 7 or 8 is installed, Internet Explorer opens skin files
without confirmation from the user. Thus, an attacker can exploit the
vulnerability when the victim visits a malicious web page. The ability to
upload files can be used to run arbitrary code on the victim system in
several ways.
As most other Internet Explorer vulnerabilities, this one can be exploited
via Outlook (Express) e-mail if the security zone setting is set to
"Internet zone". In recent versions, this is not the default case.
DETAILS
When Internet Explorer encounters a document having the MIME type
"application/x-ms-wmz", it starts up wmplayer.exe with the "/layout"
command line switch which instructs Media Player to download a skin file
from the specified URL to the Media Player's Skins folder. To prevent
certain Internet based attacks, the program uses a random element in the
download path so that the exact file name of the downloaded skin file
cannot be guessed by a potential attacker.
Due to a flaw in Media Player, this measure can be circumvented with
hex-encoded backslashes in the URL. If an appropriate URL is crafted, the
exact download folder can be chosen.
If the filename does not end with ".WMZ", Media Player normally adds this
extension to the file. However, if the Content-disposition HTTP header is
used in a certain way, this restriction can be circumvented and the
extension can be freely chosen. The attacker may thus place files with any
name and extension to any location on the local disks (and network shares
the user has access write access to). The attacker cannot automatically
overwrite previously existing files; in this case, a confirmation is asked
from the user.
There are numerous ways of exploiting this vulnerability to run arbitrary
code:
* Codebase related attacks can be done by placing a HTML help, Java
applet, a script, or similar file to the local file system and redirect
Internet Explorer to its location
* A configuration file with malicious content might be uploaded for a
program which by default doesn't have a configuration file
* Uploading a DLL or EXE file to a carefully chosen folder might cause
Internet Explorer or other program to use the attacker-supplied DLL or EXE
instead of the original file - e.g. a program might use a DLL uploaded to
C:\WINNT instead of C:\WINNT\SYSTEM32 and vice versa.
* The attacker may place programs in the Startup folder so that it would
be started on the next reboot
Finding other attack vectors is left as an exercise to the reader. The
demonstration Jouko has set up for the vendor uploads a Java class file to
%SYSTEMROOT\Java\Trustlib\ and uses an applet tag to start it. The class
becomes "trusted" due to its location and is allowed to contain native DLL
calls. Now it can e.g. download an EXE program from Internet and start it.
Windows Media Player version 9 does not seem to contain the flaw.
If Windows Media Player is not installed and a WMZ file is encountered,
Internet Explorer will usually suggest an automatic installation of
version 7 (Install on Demand).
Solution:
Microsoft was notified about the vulnerability on March 14, 2003. A
bulletin and patch correcting the issue has been released. They are
available at: <http://www.microsoft.com/technet/security/bulletin/>
http://www.microsoft.com/technet/security/bulletin/
Microsoft has classified this vulnerability as critical.
It should be noted that changing File Types settings at My Computer ->
Tools -> Folder Options does not seem to work as a workaround. WMZ files
are opened automatically regardless of them. Disabling this behavior can
probably be done by manually editing the registry.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jouko@solutions.fi> Jouko
Pynnönen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in SLWebMail"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
