Results 1 to 3 of 3

Thread: WinXP Critical Vulnerability - MS02-072

  1. #1
    Senior Member
    Join Date
    Jun 2002

    WinXP Critical Vulnerability - MS02-072

    This is a 'critical' vulnerability with good reason. It only affects Windows XP, but gives the attacker pretty much complete control over the system, and this vulnerability can be invoked by simply downloading a malicious mp3 and browsing the folder that it is contained within.

    Foundstone Research Labs Advisory - FS2002-11

    Advisory Name: Exploitable Windows XP Media Files
    Release Date: December 18, 2002
    Application: Windows Explorer
    Platforms: Windows XP
    Severity: Remote code execution
    Vendors: Microsoft (http://www.microsoft.com)
    Authors: Tony Bettini, Foundstone (tony.bettini@foundstone.com)
    CVE Candidate: CAN-2002-1327
    Reference: http://www.foundstone.com/advisories


    A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Microsoft's WMA files also suffer from a similar vulnerability.

    A Windows XP user visiting the site using Internet Explorer would be remotely compromised without any warning or download of files regardless of Internet Explorer security settings.

    Detailed Description:

    Unlike Windows 2000, Windows XP natively supports reading and parsing MP3 and WMA file attributes. If a user highlights an MP3 or WMA file with the cursor, applicable details of the media file will be displayed. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file.

    An unsuspecting user merely needs to browse a folder (local or network share) that contains the file. For example, a user running Windows XP could download an MP3 off of an Internet-based peer-to-peer file sharing mechanism (or anywhere else on the Internet) and then open their MP3 folder (to potentially listen to that MP3 or any other MP3). Upon folder access, Explorer would execute the code contained within the file attributes. The code could do anything from running a reverse shell to infecting other MP3 files on the computer.

    Users of Windows 2000 or other non-Windows XP operating systems are unaffected, and even MP3's with corrupt attributes will play fine on those operating systems with most players.

    Two additional attack vectors exist for this vulnerability via a web browser as well as Outlook. A malicious website could contain an IFRAME of a NetBIOS share that holds a malicious MP3. Similarly, an email could be sent to an Outlook user containing HTML that references the NetBIOS share. Depending on Outlook security settings and preferences, this attack may not be directly exploitable via an email message. However, if the user browses to a malicious web site with Internet Explorer directly, the attack will work regardless of the Internet Explorer security settings.

    Vendor Response:

    Microsoft has issued a fix for this vulnerability, it is available at:

    Foundstone would like to thank Microsoft Security Response Center for their prompt handling of this vulnerability.


    Foundstone recommends reviewing the Microsoft Security Bulletin and immediately applying the Microsoft patch.

    The FoundScan Enterprise Vulnerability Management System has been updated to check for this vulnerability. For more information on FoundScan, go to: http://www.foundstone.com


    The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing. However, no representation of any warranty is given, expressed, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way.

    About Foundstone Foundstone Inc. addresses the security and privacy needs of Global 2000 companies with world-class Enterprise Vulnerability Management Software, Managed Vulnerability Assessment Services, Professional Consulting and Education offerings. The company has one of the most dominant security talent pools ever assembled, including experts from Ernst & Young, KPMG, PricewaterhouseCoopers, and the United States Defense Department. Foundstone executives and consultants have authored nine books, including the international best seller Hacking Exposed: Network Security Secrets & Solutions. Foundstone is headquartered in Orange County, CA, and has offices in New York, Washington, DC, San Antonio, and Seattle. For more information, visit www.foundstone.com or call 1-877-91-FOUND.

    Copyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.
    Foundstone Research Labs Advisory - FS2002-11

  2. #2
    Join Date
    Dec 2002
    Thanks , for the help info!
    Keeping it coming!

  3. #3
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    M$ Never stops amazing me
    tanx for the heads up

    - Noia
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts