TUCoPS :: Windows Apps :: win5120.htm

Windows Media Player executes WMF content in .MP3 files
25th Feb 2002 [SBWID-5120]
COMMAND

	Windows Media Player executes WMF content in .MP3 files

SYSTEMS AFFECTED

	8.00.00.4477, maybe others

PROBLEM

	DaveK reported following :
	

	[  From  Message-ID:  <MPG.16d20065551d97599897f5@netnews.attbi.com>,
	available at http://howardk.moonfall.com/msgid.cgi?ID=101419648800 ]
	

	 ---begin quote---

	My ex sent me an mp3 she'd dloaded on Gnotella:
	

	"lifehouse - hanging by a moment - rare version.mp3"
	 

	When this file is opened [only works with MS  Media  player]  a  *porno*
	vid starts playing, and triggers a  MASSIVE  amount  of  pop-up  ads.  I
	don't use media player as my default, has this been  going  on  all  the
	time? and if so does anyone know how they do it?
	 ---end quote---

	

	Inspection of the file in a hex editor revealed:
	

	[    From    Message-ID:    <Jgua8.2390$5o.1006831@newsr2.u-net.net>,
	available at http://howardk.moonfall.com/msgid.cgi?ID=101419654600 ]
	

	 ---begin quote---

	Hmm.  Here's the file beginning, in hex:
	

	0000: 30 26 b2 75 8e 66 cf 11......

	

	

	Now, according  to  http://home.swipnet.se/grd/mp3info/mp3doc.html,  mp3
	frame headers begin with 12 1  bits,  so  there  should  be  a  FF  byte
	followed by a byte beginning with E or F, so that's  not  an  mp3  frame
	header. The first mp3 frame header appears to  start  at  offset  0x0829
	where there's an FF F7 sequence...
	

	Nor is it a vbr header, nor an  ID3  tag,  since  it  doesn't  have  any
	readable ascii words there.
	

	However, looked at as unicode, I see a lot of stuff like.....
	

	

	GirlsOntheStreetThisIsRealAskedToHaveSexForMone

	WMFSDKVersion 8.00.00.4477

	WMFSDKNeeded 0.0.0.0000

	URL     http://www.entirelynude.com/bangbus.htm

	

	

	So I think we have our answer. It's a .wmf file with a  fake  extension,
	and stupid old windoze goes and opens it as the type detected  from  the
	contents rather than the type detected from the extension. This  is  the
	same kind of vulnerability that lets a webserver send an  .exe  to  your
	browser with a .wav file-extension in  the  mime  headers  and  have  it
	auto-run, and represents  a  new  potential  for  social-engineering  of
	windoze users.
	

	 ---end quote---

	

	The file did indeed have a .mp3  extension;  no  double-extension  trick
	was used.
	

	

	

SOLUTION

	 Update (25 July 2002)

	 ======

	

	Patch available from :
	

	http://www.microsoft.com/technet/security/bulletin/ms02-032.asp

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH