Re: Windows Media Player executes WMF content in .MP3 files.
From: Joe (1@2.com)Date: 02/25/02
- Next message: Joe: "Re: Windows Media Player executes WMF content in .MP3 files."
- Previous message: Linbeck: "Re: File Deletion Question"
- In reply to: Dave Korn: "Windows Media Player executes WMF content in .MP3 files."
- Next in thread: Joe: "Re: Windows Media Player executes WMF content in .MP3 files."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joe" <1@2.com> Date: Mon, 25 Feb 2002 14:26:00 -0500
I hate to sound cruel about it, but it serves you right for using Windows
Media Player as your default MP3 player.
"Dave Korn" <no.spam@my.mailbox.invalid> wrote in message
news:7Qvd8.2712$5o.1590603@newsr2.u-net.net...
>
> I don't know if this is a known vulnerability or not, but it just
> happened to a usenet acquaintance of mine:
>
> [ From Message-ID: <MPG.16d20065551d97599897f5@netnews.attbi.com>,
> available at http://howardk.moonfall.com/msgid.cgi?ID=101419648800 ]
>
> ---begin quote---
> My ex sent me an mp3 she'd dloaded on Gnotella:
>
> "lifehouse - hanging by a moment - rare version.mp3"
>
> When this file is opened [only works with MS Media player] a *porno* vid
> starts playing, and triggers a MASSIVE amount of pop-up ads. I don't use
> media player as my default, has this been going on all the time? and if
> so does anyone know how they do it?
> ---end quote---
>
> Inspection of the file in a hex editor revealed:
>
> [ From Message-ID: <Jgua8.2390$5o.1006831@newsr2.u-net.net>,
> available at http://howardk.moonfall.com/msgid.cgi?ID=101419654600 ]
>
> ---begin quote---
> Hmm. Here's the file beginning, in hex:
>
> 0000: 30 26 b2 75 8e 66 cf 11......
>
> Now, according to http://home.swipnet.se/grd/mp3info/mp3doc.html,
>
> mp3 frame headers begin with 12 1 bits, so there should be a FF byte
> followed by a byte beginning with E or F, so that's not an mp3 frame
header.
> The first mp3 frame header appears to start at offset 0x0829 where there's
> an FF F7 sequence...
>
> Nor is it a vbr header, nor an ID3 tag, since it doesn't have any
readable
> ascii words there.
>
> However, looked at as unicode, I see a lot of stuff like.....
>
> GirlsOntheStreetThisIsRealAskedToHaveSexForMone
> WMFSDKVersion 8.00.00.4477
> WMFSDKNeeded 0.0.0.0000
> URL http://www.entirelynude.com/bangbus.htm
>
> So I think we have our answer. It's a .wmf file with a fake extension,
> and stupid old windoze goes and opens it as the type detected from the
> contents rather than the type detected from the extension. This is the
same
> kind of vulnerability that lets a webserver send an .exe to your browser
> with a .wav file-extension in the mime headers and have it auto-run, and
> represents a new potential for social-engineering of windoze users.
>
> ---end quote---
>
> The file did indeed have a .mp3 extension; no double-extension trick
> was used. Trust microsfot to finally make even a .mp3 file unsafe :-(
>
> The WMP version in question is 8.00.00.4477; I haven't tried it myself
> to see if it works nor tested older versions. I thought this might be
> a reasonable place to ask if this problem is already widely known ?
>
>
> DaveK
> --
> moderator of
> alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
> Burn your ID card! http://www.optional-identity.org.uk/
> Help support the campaign, copy this into your .sig!
> Proud Member of the Exclusive "I have been plonked by Davee because he
> thinks I'm interesting" List Member #<insert number here>
> Master of Many Meowing Minions
> Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage
above
> and beyond the call of hilarity.
>
>
- Next message: Joe: "Re: Windows Media Player executes WMF content in .MP3 files."
- Previous message: Linbeck: "Re: File Deletion Question"
- In reply to: Dave Korn: "Windows Media Player executes WMF content in .MP3 files."
- Next in thread: Joe: "Re: Windows Media Player executes WMF content in .MP3 files."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
