winamp and wma Song Licenses

From: jelmer (jelmerat_private)
Date: Fri Feb 15 2002 - 12:28:33 PST

Next message: Simple Nomad: "Re: Remote DoS in Netgear RM-356"

Previous message: Chris Wilson: "Re: SNMP test suite vs. Motorola SB4100 cable modem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When opening a wma file with winamp (2.77, 2.78 tested) that requires a
license to be installed, winamp opens the webpage where it obtains this
license (through some vb script code calling an active x object), witch
it passes the url to itself in order for this page to provide a
click-here-to-play type of link 

This is a problem, for if the users starts a download and presses open
instead of save to disk eighter on a webpage or in an email message
(this is currently the default action on this pc, it doesn't even prompt
for saving, however I most likely have clicked a checkbox too many
somewhere)
The path to the temporary internet files folder is revealed to the page
that provides the license. And thus allows for chm file type of attacks
witch allows execution of arbitrary code

For an example 

On http://windowsmedia.neuroticmedia.net/ you'll find a lot of wma files
all with licenses (I found this link on the windowsmedia.com website)

On downloading and starting the first wma file winamp fires up internet
explorer and opens the following url for me

http://web.neuroticmedia.net/getV1License.asp?content_guid=2524&challeng
e=AAEAAdytv8CWPq!uaEvLpmn9Ay!TyS0T5P5TBaqgGEhtHqneqhPSWcDvzmo!FLmsofK8sc
8gGQrMIUsrvTrwXS7a3207D*cHR2b6HLXZ5ANyskZwsNAWEUdtPKmbgHRCRsK0JbIK3S3msY
p5iSz8QOVtzKBYV0sRRmxvs2h4J2p8DdVw0y08IjmxviTKWuuwKyKCnXh49dIu05gIKhbg1W
x8nR2fT8*Um3IDTrYv*MGmSENm1!mfv3MoO8cSzF!om4KX6IL5vLi0&DRMVer=1.3&filena
me=file://C:%5cDocuments%20and%20Settings%5cJelmer%5cLocal%20Settings%5c
Temporary%20Internet%20Files%5cContent.IE5%5cCBL7ME79%5cStatic-X-Cold%5b
1%5d.wma

Clearly showing the temporary internet files folder passed in the
filename parameter

Additionally this particular site is also vulnerable to a cross site
scripting exploit as show by the following url.

http://web.neuroticmedia.net/getV1License.asp?content_guid=2623&challeng
e=AAEAAW*cuZ*Ox399!2qBZxPMHDSN!hMx*NaYtOSFpu66wNTGY4bqHFb6BU*0ZLpLRn*uGp
g5idOrzs!72BtRJ5S1XnFIXlb*teiO4zljbilFZnM6r3L8oCd6UrQ1oQlnukZY3S1pHXSS*o
xG9O29p4BhcxYnmx0RZ2dz1gUPZWbzqVdhxw6rSc!EuBS*l2*CXcQdV1Ie7qeo!OIP0g6Gxc
qI2njcI8cQgIuExtwEVpEOHoodx1TET5SFiu1Z8NyHlR0ZLWMa!wXG&DRMVer=1.3&filena
me="></a><script%20language=javascript>alert('cross site
scripting');</script><a>



---
  jelmer

Next message: Simple Nomad: "Re: Remote DoS in Netgear RM-356"
Previous message: Chris Wilson: "Re: SNMP test suite vs. Motorola SB4100 cable modem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 20:28:13 PST