A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Microsoft's WMA files also suffer from a similar vulnerability.
A Windows XP user visiting the site using Internet Explorer would be remotely compromised without any warning or download of files regardless of Internet Explorer security settings.
Unlike Windows 2000, Windows XP natively supports reading and parsing MP3 and WMA file attributes. If a user highlights an MP3 or WMA file with the cursor, applicable details of the media file will be displayed. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file.
An unsuspecting user merely needs to browse a folder (local or network share) that contains the file. For example, a user running Windows XP could download an MP3 off of an Internet-based peer-to-peer file sharing mechanism (or anywhere else on the Internet) and then open their MP3 folder (to potentially listen to that MP3 or any other MP3). Upon folder access, Explorer would execute the code contained within the file attributes. The code could do anything from running a reverse shell to infecting other MP3 files on the computer.
Users of Windows 2000 or other non-Windows XP operating systems are unaffected, and even MP3's with corrupt attributes will play fine on those operating systems with most players.
Two additional attack vectors exist for this vulnerability via a web browser as well as Outlook. A malicious website could contain an IFRAME of a NetBIOS share that holds a malicious MP3. Similarly, an email could be sent to an Outlook user containing HTML that references the NetBIOS share. Depending on Outlook security settings and preferences, this attack may not be directly exploitable via an email message. However, if the user browses to a malicious web site with Internet Explorer directly, the attack will work regardless of the Internet Explorer security settings.
