RE: Windows Media Player executes WMF content in .MP3 files.

From: Menashe Eliezer (menasheat_private)
Date: Wed Feb 27 2002 - 14:07:09 PST

Next message: Adonis.No.Spam: "2K, with RealPlayer Installed 100 % CPU utilization"

Previous message: David F. Skoll: "Re: Anti Virus Mailscanners DOS"
In reply to: Brian McWilliams: "Re: Windows Media Player executes WMF content in .MP3 files."
Next in thread: David Korn: "RE: Windows Media Player executes WMF content in .MP3 files."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Actually, any file extension that is associated with the vulnerable
applications can be used.
Even .WAV files can be used to "hijack" users to a web site containing a
powerful ActiveX Control. The URL can even include a direct link to an
executable, or to a web site that automatically downloads and executes an
executable.
There is also a privacy aspect to this exploit. Users that play illegal
multimedia files, such as .MP3 and MPEGs, can be tracked by web sites that
logs their IP Address or even much more personal details. For example, an
ActiveX Control embedded on a web site can pull out your e-mail address.

This technique is powerful. However, there are many ways to "hijack" users
to a web site, and the main issue is: How to protect users from malicious
active content in web sites. Finjan has put a .WAV demo to test your
vulnerability to this attack. Upon opening this audio file with vulnerable
software, a sound will be played and you'll be "hijacked" directly to Finjan
Software's ActiveX demo.
More details can be found in:
http://www.finjan.com/attack_release_detail.cfm?attack_release_id=67


--
Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software - Proactive Defense Against Malicious Code
Web: http://www.finjan.com/mcrc


-----Original Message-----
From: Brian McWilliams [mailto:brian@pc-radio.com]
Sent: Sunday, February 24, 2002 4:14 AM
To: David Korn; bugtraqat_private
Subject: Re: Windows Media Player executes WMF content in .MP3 files.


I've confirmed the report below.

Windows Media Player (like RealPlayer) allows content developers to create
slide shows or "illustrated audio." That is, you can create a stream in the
player's native media format (.asf, .wma. .wmf) that includes embedded
URLs, scripts, etc.

http://msdn.microsoft.com/library/en-us/dnwmt/html/wmp7_urlflips.asp

Turns out that if you feed the WMP a .wma file that has embedded URLs and
that has been renamed to end in .mp3, the WMP will happily treat the file
like one of its own and launch the URLs in the browser when it encounters
them in the stream.

Demo here:

http://www.pc-radio.com/gimp.mp3

59k (19 second) wma file that has been renamed to mp3. Should launch three
separate Web pages during playback with Windows Media Player.

Brian

Next message: Adonis.No.Spam: "2K, with RealPlayer Installed 100 % CPU utilization"
Previous message: David F. Skoll: "Re: Anti Virus Mailscanners DOS"
In reply to: Brian McWilliams: "Re: Windows Media Player executes WMF content in .MP3 files."
Next in thread: David Korn: "RE: Windows Media Player executes WMF content in .MP3 files."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 22:49:49 PST