Why i love xs4all rant (you'll probably wanna skip this but i need to get
this out of my system):
a few weeks back i was unpleasantly suprised by the fact that my
internet wasn't working
the support desk employee after making me reset my modem a dozen times
and tripple checking
my settings finaly found out that i had an abuse ticket.
I supposedly portscanned (a harmless process) :S some poor guy who felt
the need to complain about it. They wouldn't tell me who
it was when it happened or anything. being the second warning (over a 2
year!! period) they descided they
had no other alternative then to shut me down. I am not aware of
anything i have done wrong, but i am not
given any option to defend myself against the allergations, I dont just
randomly portscan people.
In essense you are conficted without even hearing the evidence or being
apointed a lawyer.
This is a really scary thought because in essence any of the following
situations will lead to cancelation of
your account
You activly seek out flaws in a website, you report them to a website
owner, he doesn't like this and rather than
fix the problem notifies your ISP xs4all to complain about it. resulting
in cancelation of your account.
You wont even know who complained because and explain the whole thing
because xs4all grants the complaining
party anonimity
You get hacked and someone uses your machine to do something nasty
An online chatbuddy asks you to nmap his machine to see if the firewall
he set up is working properly
after a while the friendship goes sour and just to piss you off he
reports the scanning.
someone sends you an email containing all sorts of
<img src="http://www.mysite.com/login.asp?username=a'or 1=1;--">
kinda stuff, look xs4all!! he hacked my site , just look at my logs and
xs4all's connection logs
will show the connections where made from your ip matching the
timestamps in the log
probably a dozen other ways are possible, and there's no way to find out
what has been going on
this shielding of the sources is ridiculous, what will i do tell the
world i nmapped him?
well whoopdiedoo call out the witness protection program
Particularly cute is the other day i see an interview with cor bosman
telling how xs4all
founders where titled the hacker thread from holland etc
I have a 4 letter acronym for him, you figure it out
Description :
Windows Media Player allows you to play audio and video files
locally stored and streamed from the Internet.
It includes a visualizer, a jukebox, a media guide,
an Internet radio tuner, and support for
countless media formats and various external devices.
There is is a flaw in Windows media player 7 and 8 that allows
execution of arbitrary code
Vulnerable versions are shipped by default with
all recent windows distributions including 98 and 2000 and xp
Details :
Windows media player skin (.WMZ) files are automaticly opened by
internet explorer
As a security precaution they are placed in a folder with a random name
similar to this :
C:\Program Files\Windows Media Player\Skins\004B1813
However this can be trivially defeated by setting the following http
headers.
Content-Disposition: filename=%2e%2e%5cjelmer.wmz
Content-Type: application/download
<content follows>
%2e%2e%5cjelmer.wmz is the url encoded path ..\jelmer.wmz , windows
media player urldecodes this and the
path becomes :
C:\Program Files\Windows Media Player\Skins\004B1813\..\jelmer.wmz
witch is equivilent to
C:\Program Files\Windows Media Player\Skins\jelmer.wmz
witch is a known location on the filesystem, witch is a "very bad thing"
(tm)
to make matters worse we could append an urlencoded null byte to the
file name and "spoof" the extention
like this
"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20User
s%5CStart%20Menu%5CPrograms%5CStartup%5csomefile.exe%00.wmz
witch drops an executable in the windows startup folder (on an english
xp system)
Systems affected :
Both media player 7.1 and 8 are affected by the flaw, 9 proofed
unaffected
Example :
I should have attached a sample exploit
Vendor status :
Microsoft was notified 23-03-2003 and has issued a fix the details are
available at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-017.asp
Credit was shared because apperently Jouko reported the same issue at
aproximatly the same time
Solution :
Update to the latest version of media player
This archive was generated by hypermail 2b30 : Thu May 08 2003 - 08:12:55 PDT