Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: Windows Media Player executes WMF content in .MP3 files.
From: "Menashe Eliezer" <menashe () finjan com>
Date: Thu, 28 Feb 2002 00:07:09 +0200

Actually, any file extension that is associated with the vulnerable
applications can be used.
Even .WAV files can be used to "hijack" users to a web site containing a
powerful ActiveX Control. The URL can even include a direct link to an
executable, or to a web site that automatically downloads and executes an
executable.
There is also a privacy aspect to this exploit. Users that play illegal
multimedia files, such as .MP3 and MPEGs, can be tracked by web sites that
logs their IP Address or even much more personal details. For example, an
ActiveX Control embedded on a web site can pull out your e-mail address.

This technique is powerful. However, there are many ways to "hijack" users
to a web site, and the main issue is: How to protect users from malicious
active content in web sites. Finjan has put a .WAV demo to test your
vulnerability to this attack. Upon opening this audio file with vulnerable
software, a sound will be played and you'll be "hijacked" directly to Finjan
Software's ActiveX demo.
More details can be found in:
http://www.finjan.com/attack_release_detail.cfm?attack_release_id=67


--
Menashe Eliezer
Manager, Malicious Code Research Center
Finjan Software - Proactive Defense Against Malicious Code
Web: http://www.finjan.com/mcrc


-----Original Message-----
From: Brian McWilliams [mailto:brian () pc-radio com]
Sent: Sunday, February 24, 2002 4:14 AM
To: David Korn; bugtraq () securityfocus com
Subject: Re: Windows Media Player executes WMF content in .MP3 files.


I've confirmed the report below.

Windows Media Player (like RealPlayer) allows content developers to create
slide shows or "illustrated audio." That is, you can create a stream in the
player's native media format (.asf, .wma. .wmf) that includes embedded
URLs, scripts, etc.

http://msdn.microsoft.com/library/en-us/dnwmt/html/wmp7_urlflips.asp

Turns out that if you feed the WMP a .wma file that has embedded URLs and
that has been renamed to end in .mp3, the WMP will happily treat the file
like one of its own and launch the URLs in the browser when it encounters
them in the stream.

Demo here:

http://www.pc-radio.com/gimp.mp3

59k (19 second) wma file that has been renamed to mp3. Should launch three
separate Web pages during playback with Windows Media Player.

Brian



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]