Foundstone Research Labs Advisory - FS2002-11
Advisory Name: Exploitable Windows XP Media Files
Release Date: December 18, 2002
Application: Windows Explorer
Platforms: Windows XP
Severity: Remote code execution
Vendors: Microsoft (http://www.microsoft.com
Authors: Tony Bettini, Foundstone (email@example.com)
CVE Candidate: CAN-2002-1327
A buffer overflow exists in Explorer's automatic reading of MP3 or WMA (Windows Media Audio) file attributes in Windows XP. An attacker could create a malicious MP3 or WMA file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site. Microsoft's WMA files also suffer from a similar vulnerability.
A Windows XP user visiting the site using Internet Explorer would be remotely compromised without any warning or download of files regardless of Internet Explorer security settings.
Unlike Windows 2000, Windows XP natively supports reading and parsing MP3 and WMA file attributes. If a user highlights an MP3 or WMA file with the cursor, applicable details of the media file will be displayed. Explorer automatically reads file attributes regardless of whether or not the user actually highlights, clicks on, reads, or opens the file. Windows XP's Explorer will overflow if corrupted attributes exist within the MP3 or WMA file.
An unsuspecting user merely needs to browse a folder (local or network share) that contains the file. For example, a user running Windows XP could download an MP3 off of an Internet-based peer-to-peer file sharing mechanism (or anywhere else on the Internet) and then open their MP3 folder (to potentially listen to that MP3 or any other MP3). Upon folder access, Explorer would execute the code contained within the file attributes. The code could do anything from running a reverse shell to infecting other MP3 files on the computer.
Users of Windows 2000 or other non-Windows XP operating systems are unaffected, and even MP3's with corrupt attributes will play fine on those operating systems with most players.
Two additional attack vectors exist for this vulnerability via a web browser as well as Outlook. A malicious website could contain an IFRAME of a NetBIOS share that holds a malicious MP3. Similarly, an email could be sent to an Outlook user containing HTML that references the NetBIOS share. Depending on Outlook security settings and preferences, this attack may not be directly exploitable via an email message. However, if the user browses to a malicious web site with Internet Explorer directly, the attack will work regardless of the Internet Explorer security settings.
Microsoft has issued a fix for this vulnerability, it is available at:
Foundstone would like to thank Microsoft Security Response Center for their prompt handling of this vulnerability.
Foundstone recommends reviewing the Microsoft Security Bulletin and immediately applying the Microsoft patch.
The FoundScan Enterprise Vulnerability Management System has been updated to check for this vulnerability. For more information on FoundScan, go to: http://www.foundstone.com
The information contained in this advisory is copyright (c) 2002 Foundstone, Inc. and is believed to be accurate at the time of publishing. However, no representation of any warranty is given, expressed, or implied as to its accuracy or completeness. In no event shall the author or Foundstone be liable for any direct, indirect, incidental, special, exemplary or consequential damages resulting from the use or misuse of this information. This advisory may be redistributed, provided that no fee is assigned and that the advisory is not modified in any way.
About Foundstone Foundstone Inc. addresses the security and privacy needs of Global 2000 companies with world-class Enterprise Vulnerability Management Software, Managed Vulnerability Assessment Services, Professional Consulting and Education offerings. The company has one of the most dominant security talent pools ever assembled, including experts from Ernst & Young, KPMG, PricewaterhouseCoopers, and the United States Defense Department. Foundstone executives and consultants have authored nine books, including the international best seller Hacking Exposed: Network Security Secrets & Solutions. Foundstone is headquartered in Orange County, CA, and has offices in New York, Washington, DC, San Antonio, and Seattle. For more information, visit www.foundstone.com
or call 1-877-91-FOUND.
Copyright (c) 2002 Foundstone, Inc. All rights reserved worldwide.