lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <000801c314fc$c796f8a0$0200000a@pluto>
Date: Thu, 8 May 2003 02:57:19 +0200
From: "jelmer" <jelmer@...erus.xs4all.nl>
To: <bugtraq@...urityfocus.com>
Subject: why i love xs4all + mediaplayer thingie

Why i love xs4all rant (you'll probably wanna skip this but i need to get
this out of my system):

    a few weeks back i was unpleasantly suprised by the fact that my
internet wasn't working
    the support desk employee after making me reset my modem a dozen times
and tripple checking
    my settings finaly found out that i had an abuse ticket.
    I supposedly portscanned (a harmless process) :S some poor guy who felt
the need to complain about it. They wouldn't tell me who
    it was when it happened or anything. being the second warning (over a 2
year!! period) they descided they
    had no other alternative then to shut me down. I am not aware of
anything i have done wrong, but i am not
    given any option to defend myself against the allergations, I dont just
randomly portscan people.

    In essense you are conficted without even hearing the evidence or being
apointed a lawyer.
    This is a really scary thought because in essence any of the following
situations will lead to cancelation of
    your account

    You activly seek out flaws in a website, you report them to a website
owner, he doesn't like this and rather than
    fix the problem notifies your ISP xs4all to complain about it. resulting
in cancelation of your account.
    You wont even know who complained because and explain the whole thing
because xs4all grants the complaining
    party anonimity

    You get hacked and someone uses your machine to do something nasty

    An online chatbuddy asks you to nmap his machine to see if the firewall
he set up is working properly
    after a while the friendship goes sour and just to piss you off he
reports the scanning.

    someone sends you an email containing all sorts of
    <img src="http://www.mysite.com/login.asp?username=a'or 1=1;--">
    kinda stuff, look xs4all!! he hacked my site , just look at my logs and
xs4all's connection logs
    will show the connections where made from your ip matching the
timestamps in the log

    probably a dozen other ways are possible, and there's no way to find out
what has been going on
    this shielding of the sources is ridiculous, what will i do tell the
world i nmapped him?
    well whoopdiedoo call out the witness protection program

    Particularly cute is the other day i see an interview with cor bosman
telling how xs4all
    founders where titled the hacker thread from holland etc
    I have a 4 letter acronym for him, you figure it out


Description :

    Windows Media Player allows you to play audio and video files
    locally stored and streamed from the Internet.
    It includes a visualizer, a jukebox, a media guide,
    an Internet radio tuner, and support for
    countless media formats and various external devices.
    There is is a flaw in Windows media player 7 and 8 that allows
    execution of arbitrary code
    Vulnerable versions are shipped by default with
    all recent windows distributions including 98 and 2000 and xp


Details :

    Windows media player skin (.WMZ) files are automaticly opened by
internet explorer
    As a security precaution they are placed in a folder with a random name
similar to this :

    C:\Program Files\Windows Media Player\Skins\004B1813

    However this can be trivially defeated by setting the following http
headers.

    Content-Disposition: filename=%2e%2e%5cjelmer.wmz
    Content-Type: application/download

    <content follows>

    %2e%2e%5cjelmer.wmz is the url encoded path ..\jelmer.wmz , windows
media player urldecodes this and the
    path becomes :

    C:\Program Files\Windows Media Player\Skins\004B1813\..\jelmer.wmz

    witch is equivilent to

    C:\Program Files\Windows Media Player\Skins\jelmer.wmz

    witch is a known location on the filesystem, witch is a "very bad thing"
(tm)
    to make matters worse we could append an urlencoded null byte to the
file name and "spoof" the extention
    like this


"%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cDocuments%20and%20Settings%5CAll%20User
s%5CStart%20Menu%5CPrograms%5CStartup%5csomefile.exe%00.wmz

    witch drops an executable in the windows startup folder (on an english
xp system)


Systems affected :

    Both media player 7.1 and 8 are affected by the flaw, 9 proofed
unaffected


Example :

    I should have attached a sample exploit


Vendor status :

    Microsoft was notified 23-03-2003 and has issued a fix the details are
available at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-017.asp
    Credit was shared because apperently Jouko reported the same issue at
aproximatly the same time

Solution :

    Update to the latest version of media player


Download attachment "MediaPlayerExploit.java" of type "application/octet-stream" (2284 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ