How exploit vulnerability? (ie: like .mp3)

[PC Girl]

Thanks guys so far, but after reading some stuff I have some more questions.
I read about the Windows XP vulnerability with bad mp3 files which can crash your computer.
Now, my question is, how do they do that? Obviously, I don't know how to program so I'm a little clueless on that part. But is there some sort of explination that could be made in simpler terms?

[kadeng]

Windows XP reads information from the digital music files, a feature that hackers can use to insert their own code, allowing them to get into your computer and change or kill data there.

http://www.suntimes.com/output/tech/cst-nws-hack20.html

[phishphreek]

Source

Foundstone tagged its highest warning label on the vulnerability, warning that it is very easy to exploit. "The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site.

Here is a more detailed article about the vulnerablility.

[tampabay420]

Originally posted here by kadeng
Windows XP reads information from the digital music files, a feature that hackers can use to insert their own code, allowing them to get into your computer and change or kill data there.

http://www.suntimes.com/output/tech/cst-nws-hack20.html

If kadeng is correct, this is called code insertion (some one please correct me if i'm wrong)... This usually goes hand-in-hand with buffer-overflows...

Code Insertion and Buffer Overflows explained: http://www.cultdeadcow.com/cDc_files/cDc-351/

[xmaddness]

taken from a SANS Critical vulnerability analysis email
Description:
The Windows Shell framework included with Windows XP contains a buffer
overflow in the handling of large audio file attributes, allowing a
malicious MP3 or WMA file to execute arbitrary code. Because Windows
XP provides native support for parsing MP3 and WMA file attributes
via Explorer, a malicious file would not need to be opened/played in
order to exploit the vulnerability. If a user simply opens a folder
containing the file, Explorer will read the file attributes and the
buffer overflow will occur.

Similarly, an XP user browsing a hostile website using Internet
Explore could be remotely compromised simply by hovering their mouse
over an icon for a malicious file. Further, under some circumstances,
an HTML email can launch the attack automatically when the XP recipient
opens or previews the email.

Risk: Compromise of Windows XP machines at the privilege level of
the XP user encountering the hostile audio file.

Deployment: Widely deployed.

Ease of Exploitation: Unknown.
An attacker must create an audio file which carries a large, corrupt
custom attribute. Given that there are a limited number of ways to
manipulate attributes, an attacker may be able to gain substantial
information through experimentation.

Status: Vendor confirmed, patches available.

References:
Microsoft Advisory:
http://www.microsoft.com/technet/sec...n/MS02-072.asp

Foundstone Advisory:
http://www.foundstone.com/knowledge/...ay.html?id=339

Council Site Actions:
Only a few of the Council sites reported use of the XP O/S within
their organizations, all of which are very limited deployments.
Several of the sites have notified their desktop support groups. One
site will be rolling out the patches (via SMS) during the next regular
patch update cycle.

Most of the council sites use automatic AV signature updating software
and are actively blocking MP3's (and other file types) at the network
perimeters via web proxies. These actions greatly reduce the risk
created by this vulnerability.

Hope that clears it up a bit more.

[PC Girl]

Thanks for the information about the mp3 exploit but what about other exploits?
I mean, how do people figure this stuff out? How do they write these codes to exploit these vulnerabilities?

[tampabay420]

PC Girl: The people who write/discover these exploits have a lot of time on their hands + most of them are very inquisitive people... The link i posted above explains overflows in detail... "Exploit" is far too large of a category to eplain in one post...

Basically, these people look for bugs, trying everything, hoping something will work (or in this case, "not work") btw- a search on exploits brings up AntiOnline.com (where you can find tons of exploits, isn't that funny- to find sploits on a "security" site... + you wont find any patches or papers; on how to patch up holes?)

[PC Girl]

Thanks for the above link, I have been reading it in parts.
I know that exploits seem to be a large category to speak of, but besides the buffer overflows, are there other common vulnerabilities that surface often?

[tyger_claw]

Like many guys have said, it's a rangeful subject.

See, the mp3 exploit is just needed to inject code into the mp3 file.

But here's another example of an exploit:
Some websites (like AO) have disabled html tags on their message boards, guest books and other entry fields that users can input text. Why? because some users would enter html or java code that would either send a user to another site that contains bad code or to a "local" area on the computer (ie: /con/con on your computer - which doesn't exist, but crashes the computer on 98 and lower)

Also, an old exploit with Hotmail was simply adding the hotmail account username at the end of the address line to see their account & have control over it (so long as they are logged in) This is by far a past exploit (I think '98) and is far from working.
(ie: http://www.hotmail.com/...blah...jklfd%770:username)

Some exploits need programs to be run to cause an error so to happen. One exploit on win2k is to cause a general protection fault with calc.exe and then do something and giving yourself permission level increase.

Basically, read up on it with searches on the net with engines like google.com and wordings like how+do+exploits+work or windows98+exploit or other types of combinations....

Basically, an exploit is using an error in the code and making the program do what it's not suppose to do. Hope that helps...