COMMAND
Media Player
SYSTEMS AFFECTED
Windows Media Player 6.4, 7, and 7.1
PROBLEM
Following is based on a Microsoft Security Bulletin MS01-042.
Windows Media Player provides support for audio and video
streaming. Streaming media channels can be configured by using
Windows Media Station (.NSC) files. An unchecked buffer exists
in the functionality used to process Windows Media Station files.
This unchecked buffer could potentially allow an attacker to run
code of his choice on the machine of another user. The attacker
could either send a specially malformed file to another user and
entice her to run or preview it, or he could host such a file on
a web site and cause it to launch automatically whenever a user
visited the site. The code could take any action on the machine
that the legitimate user himself could take.
Customers who have applied the Outlook E-mail Security Update
(OESU) for Outlook 2000 or are running Outlook XP, which has the
OESU functionality built-in, are automatically protected against
HTML e-mail based attempts to exploit this vulnerability.
For others not in the above categories, the attacker would have to
entice the potential victim to visit a web site he controlled, or
to open an HTML e-mail he had sent.
The attacker would need to know the specific operating system that
the user was running in order to tailor the attack code properly;
if the attacker made an incorrect guess about the user's operating
system platform, the attack would crash the user's Windows Media
Player session, but not run code of the attacker's choice.
Windows Media Player executing files on the target computer as
follows.
1. Create an *.asx meta file as follows:
<ASX><Entry><ref HREF=''/></ASX>
<IFRAME SRC='about:<body><html><OBJECT CLASSID="CLSID:10000000-0000-0000-0000-000000000000" CODEBASE="C:\WINDOWS\Regedit.exe"></OBJECT></html></body>'></IFRAME>
<!-- 27.07.01 http://www.malware.com -->
2. Create an *.asf file with URL flip as follows:
about:<OBJECT ID="Content" WIDTH=0 HEIGHT=0
CLASSID="CLSID:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="file://C:\My Documents\My Music\Virtual Albums\malware\malware.asx"><PARAM NAME="UseHeader" VALUE="true"></OBJECT><div datasrc=#Content datafld="<ASX><Entry><ref HREF=''/></ASX>" dataformatas="HTML" style="width: 100%; height: 60%;"></div>
3. Create a *.wmd file comprising 1 and 2 above.
What happens? Ordinarily the Windows Media Download Package file
(*.wmd) creates a folder with the given name of the *.wmd file --
e.g. malware.wmd will create a folder called malware in the
default location for so-called "Virtual Music" -- specifically:
My Documents\My Music\Virtual Albums\malware, security measures
currently incorporated in the extraction of the contents of the
*.wmd do a reasonably good job of ensuring that files contained
within the Download Package, are in fact valid files.
A reasonably good job.
We find that the bare minimum for the *.asx meta file must include
the following:
<ASX><Entry><ref HREF=''/></ASX>
with these tags the Media Player will indeed extract the *.asx
file into our known folder. So how do we make use of that?
Databinding.
We find that we can parse html using the databinding control
included in IE5. And we do it like so: the databinding control
requires a header to match what it is to write as html. What we
do, quite brilliantly actually, is use the *.asx header as our
header for the databinding control:
*.asx - <ASX><Entry><ref HREF=''/></ASX>
databinding control:
datafld="<ASX><Entry><ref HREF=''/></ASX>"
The Windows Media Package file (malware.wmd) is automatically
opened from web or news or mail, it automatically creates the
malware folder in the so-called 'Virtual Music" directory. It
automatically extracts the malware.asx meta file, which is valid
but includes our Active X component as above, and it extracts our
malware.asf file which includes our URL flip. The URL flip is
called once the malware.asf starts playing, it creates an "about"
window from within the malware folder, the "about" window includes
our databinding control which points to the malware.asx which
rendered as *.html because the datafld header *IS* the *.asx meta
tag!
And that all in turn executes! our file on the target computer.
1. The machine that this is all on is now dead thanks to your
module MSDXM.OCX which will require a reformat. Nevertheless
a fully functional example has been thoroughly tested in "the
field"
2. The "free" Advanced Script Indexer that comes with the Windows
Media 7 Resource Kit allows us to include in the URL flip
whatever we like.
3. The path to the so-called "Virtual Music" directory is
hard-coded in the above. The possibility of not having to know
the location is good because everything is opened from within
the same folder created by the Windows Media Download package
i.e. possibly through a "skin" file, or some other entry in
the *.asx such as an <event> parameter coupled with scripting
in the *.asf or *.wmz file(s), relative paths should work.
4. When it suits us, we'll recompile the working example if none
of the above is clear.
5. It took 10 days to conceive, craft and construct, of which
about 5 days were spent crashing and scandisk"ing" at minimum
4 times per day. Win98. Very unstable.
SOLUTION
A patch is available to fix this vulnerability. Please read the
Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms01-042.asp
for information on obtaining this patch.