[VulnWatch] Windows Media Player directory traversal vulnerability

From: Jouko Pynnonen (jouko_at_solutions.fi)
Date: 05/07/03

  • Next message: SecurityTracker: "[VulnWatch] Happymall E-Commerce Remote Command Execution"
    Date: Wed, 7 May 2003 20:31:50 +0300 (EEST)
    To: <vulnwatch@vulnwatch.org>
    
    

    OVERVIEW
    ========

    Windows Media Player versions 7 and 8 are vulnerable to a directory
    traversal attack when skin files (*.WMZ) are downloaded from Internet.
    The vulnerability allows malicious users to upload an arbitrary file to
    an arbitrary location when a victim user views a web page.

    When Media Player 7 or 8 is installed, Internet Explorer opens skin files
    without confirmation from the user. Thus, an attacker can exploit the
    vulnerability when the victim visits a malicious web page. The ability to
    upload files can be used to run arbitrary code on the victim system in
    several ways.

    As most other Internet Explorer vulnerabilites, this one can be exploited
    via Outlook (Express) e-mail if the security zone setting is set to
    "Internet zone". In recent versions, this is not the default case.

    DETAILS
    =======

    When Internet Explorer encounters a document having the MIME type
    "application/x-ms-wmz", it starts up wmplayer.exe with the "/layout"
    command line switch which instructs Media Player to download a skin file
    from the specified URL to the Media Player's Skins folder. To prevent
    certain Internet based attacks, the program uses a random element in the
    download path so that the exact file name of the downloaded skin file
    can't be guessed by a potential attacker.

    Due to a flaw in Media Player this measure can be circumvented with
    hex-encoded backslashes in the URL. If an appropriate URL is crafted,
    the exact download folder can be chosen.

    If the filename doesn't end with ".WMZ", Media Player normally adds this
    extension to the file. However, if the Content-disposition HTTP header is
    used in a certain way, this restriction can be circumvented and also the
    extension can be freely chosen. The attacker may thus place files with any
    name and extension to any location on the local disks (and network shares
    the user has access write access to). The attacker can not automatically
    overwrite previously existing files; in this case a confirmation is asked
    from the user.

    There are numerous ways of exploiting this vulnerability to run arbitrary
    code:

      * codebase related attacks can be done by placing a HTML help, Java
        applet, a script, or similar file to the local filesystem and
        redirect Internet Explorer to its location

      * a configuration file with malicious content might be uploaded for a
        program which by default doesn't have a configuration file

      * uploading a DLL or EXE file to a carefully chosen folder might cause
        Internet Explorer or other program to use the attacker-supplied DLL
        or EXE instead of the original file - e.g. a program might use a DLL
        uploaded to C:\WINNT instead of C:\WINNT\SYSTEM32 and vice versa.

      * the attacker may place programs in the Startup folder so that it
        would be started on the next reboot

    Finding other attack vectors is left as an excercise to the reader. The
    demonstration I set up for the vendor uploads a Java class file to
    %SYSTEMROOT\Java\Trustlib\ and uses an applet tag to start it. The class
    becomes "trusted" due to its location and is allowed to contain native
    DLL calls. Now it can e.g. download an EXE program from Internet and
    start it.

    Windows Media Player version 9 doesn't seem to contain the flaw.

    If Windows Media Player is not installed and a WMZ file is encountered,
    Internet Explorer will usually suggest an automatic installation of
    version 7 (Install on Demand).

    SOLUTION
    ========

    Microsoft was notified about the vulnerability on March 14, 2003. A
    bulletin and patch correcting the issue has been released. They are
    available at

      http://www.microsoft.com/technet/security/bulletin/

    Microsoft has classified this vulnerability as critical.

    It should be noted that changing File Types settings at My Computer ->
    Tools -> Folder Options doesn't seem to work as an workaround. WMZ files
    are opened automatically regardless of them. Disabling this behavior
    can probably be done by manually editing the registry.

    CREDITS
    =======

    The vulnerability was discovered by Jouko Pynnönen of Online Solutions
    Ltd, Finland.

    -- 
    Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
    jouko@solutions.fi      http://www.solutions.fi    http://www.secmod.com
    

  • Next message: SecurityTracker: "[VulnWatch] Happymall E-Commerce Remote Command Execution"

    Relevant Pages