lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Sep 2007 19:28:12 +0100 From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> To: "Rahul Mohandas" <rahulmohandas1@...il.com> Cc: "Memisyazici, Aras" <arasm@...edu>, bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Re: security notice: Backdooring Windows Media Files back online... too many visitors lately On 9/19/07, Rahul Mohandas <rahulmohandas1@...il.com> wrote: > Could someone send me the POC's please if you have a local copy. > Gnucitizen.org is not accessible for me. > > Thanks > > > ----- Original Message ----- > From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> > To: "Memisyazici, Aras" <arasm@...edu> > Cc: <bugtraq@...urityfocus.com>; <full-disclosure@...ts.grok.org.uk> > Sent: Wednesday, September 19, 2007 12:30 AM > Subject: Re: security notice: Backdooring Windows Media Files > > > > yes, of course :) but u are running Windows Media Player 11 which is > > not the default one for Windows XP SP2. Moreover, this Media Player > > edition is not slipped through any software update either. Therefore, > > if you are not a Media Player fan, you will never get this version on > > a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes > > I am vulnerable. > > > > On 9/18/07, Memisyazici, Aras <arasm@...edu> wrote: > >> Hi pdp! > >> > >> Great admirer of your work :) I just wanted to inform you that I have > >> tested your claim, on a fully patched/updated Win XP SP2 system with an > >> admin account logged in, and was warned sufficiently(asked whether I > >> wanted to play asx files, then asked if I was sure by Media Player, then > >> pop-up was blocked by IE), while the page you tried to produce was > >> blocked via IE's pop-up blocker. > >> > >> You can see/confirm this by viewing these screenshots: > >> > >> http://preview.tinyurl.com/34xpcz > >> (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie1.png ) > >> > >> and > >> > >> http://preview.tinyurl.com/34jx5v > >> (http://i189.photobucket.com/albums/z159/vtknightmare/noworkie2.png ) > >> > >> This was tested on a plain/manila/vanilla version of XP SP2. All I did > >> was update/upgrade to latest available from M$ Update. > >> > >> Sincerely, > >> Aras Memisyazici > >> IT/Security/Dev. Specialist > >> > >> Outreach Information Services > >> Virginia Tech > >> > >> -----Original Message----- > >> From: pdp (architect) [mailto:pdp.gnucitizen@...glemail.com] > >> Sent: Tuesday, September 18, 2007 11:58 AM > >> To: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk > >> Subject: security notice: Backdooring Windows Media Files > >> > >> http://www.gnucitizen.org/blog/backdooring-windows-media-files > >> > >> It is very easy to put some HTML inside files supported by Window > >> Media Player. The interesting thing is that these HTML pages run in > >> less restrictive IE environment. I found that a fully patched windows > >> XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open > >> any page of your choice in IE even if your default browser is Firefox, > >> Opera or anything else you have in place. It means that even if you > >> are running Firefox and you think that you are secure, by simply > >> opening a media file, you expose yourself to all IE vulnerabilities > >> there might be. Plus, attackers can perform very very interesting > >> phishing attacks. I prepared a simple POC which spawns a browser > >> window in full screen mode... Think about how easy it is going to be > >> to fake the windows logout - login sequence and phish unaware users' > >> credentials > >> > >> http://www.gnucitizen.org/projects/backdooring-windows-media-files/poc02 > >> .asx > >> > >> On the other hand Media Player 11 (Vista by default) is not exposed to > >> these attacks. > >> > >> -- > >> pdp (architect) | petko d. petkov > >> http://www.gnucitizen.org > >> > > > > > > -- > > pdp (architect) | petko d. petkov > > http://www.gnucitizen.org > > -- pdp (architect) | petko d. petkov http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists