[Am-info] [Fwd: Re: Windows Media Player executes WMF content in .MP3 files.]

Geoffrey esoteric@3times25.net
Mon, 25 Feb 2002 16:26:28 -0500 

I don't know guys, but this kind of stupidity on Microsoft's part just 
amazes me.  It's like they go out of their way to continue to enhance 
the 'virus super highway.'


-------- Original Message --------
Subject: Re: Windows Media Player executes WMF content in .MP3 files.
Date: Sat, 23 Feb 2002 21:13:52 -0500
From: Brian McWilliams <brian@pc-radio.com>
To: David Korn <dkorn@pixelpower.com>,   "'bugtraq@securityfocus.com'" 
<bugtraq@securityfocus.com>

I've confirmed the report below.

Windows Media Player (like RealPlayer) allows content developers to create
slide shows or "illustrated audio." That is, you can create a stream in the
player's native media format (.asf, .wma. .wmf) that includes embedded
URLs, scripts, etc.

http://msdn.microsoft.com/library/en-us/dnwmt/html/wmp7_urlflips.asp

Turns out that if you feed the WMP a .wma file that has embedded URLs and
that has been renamed to end in .mp3, the WMP will happily treat the file
like one of its own and launch the URLs in the browser when it encounters
them in the stream.

Demo here:

http://www.pc-radio.com/gimp.mp3

59k (19 second) wma file that has been renamed to mp3. Should launch three
separate Web pages during playback with Windows Media Player.

Brian

At 09:10 AM 2/22/2002, David Korn wrote:

 >   I don't know if this is a known vulnerability or not, but it just
 >happened to a usenet acquaintance of mine:
 >
 >[ From Message-ID: <MPG.16d20065551d97599897f5@netnews.attbi.com>,
 >available at http://howardk.moonfall.com/msgid.cgi?ID=101419648800 ]
 >
 >---begin quote---
 >My ex sent me an mp3 she'd dloaded on Gnotella:
 >
 >"lifehouse - hanging by a moment - rare version.mp3"
 >
 >When this file is opened [only works with MS Media player] a *porno* vid
 >starts playing, and triggers a MASSIVE amount of pop-up ads. I don't use
 >media player as my default, has this been going on all the time? and if
 >so does anyone know how they do it?
 >---end quote---
 >
 >   Inspection of the file in a hex editor revealed:
 >
 >[ From Message-ID: <Jgua8.2390$5o.1006831@newsr2.u-net.net>,
 >available at http://howardk.moonfall.com/msgid.cgi?ID=101419654600 ]
 >
 >---begin quote---
 >Hmm.  Here's the file beginning, in hex:
 >
 >0000: 30 26 b2 75 8e 66 cf 11......
 >
 >   Now, according to http://home.swipnet.se/grd/mp3info/mp3doc.html,
 >
 >mp3 frame headers begin with 12 1 bits, so there should be a FF byte
 >followed by a byte beginning with E or F, so that's not an mp3 frame 
header.
 >The first mp3 frame header appears to start at offset 0x0829 where there's
 >an FF F7 sequence...
 >
 >   Nor is it a vbr header, nor an ID3 tag, since it doesn't have any 
readable
 >ascii words there.
 >
 >   However, looked at as unicode, I see a lot of stuff like.....
 >
 >GirlsOntheStreetThisIsRealAskedToHaveSexForMone
 >WMFSDKVersion 8.00.00.4477
 >WMFSDKNeeded 0.0.0.0000
 >URL     http://www.entirelynude.com/bangbus.htm
 >
 >   So I think we have our answer.  It's a .wmf file with a fake extension,
 >and stupid old windoze goes and opens it as the type detected from the
 >contents rather than the type detected from the extension.  This is 
the same
 >kind of vulnerability that lets a webserver send an .exe to your browser
 >with a .wav file-extension in the mime headers and have it auto-run, and
 >represents a new potential for social-engineering of windoze users.
 >
 >---end quote---
 >
 >   The file did indeed have a .mp3 extension; no double-extension trick
 >was used.
 >
 >   The WMP version in question is 8.00.00.4477; I haven't tried it myself
 >to see if it works nor tested older versions.  I thought this might be
 >a reasonable place to ask if this problem is already widely known ?
 >
 >
 >      DaveK
 >--
 >Burn your ID card!  http://www.optional-identity.org.uk/
 >Help support the campaign, copy this into your .sig!
 >
 >
 >**********************************************************************
 >This email and any files transmitted with it are confidential and
 >intended solely for the use of the individual or entity to whom they
 >are addressed. If you have received this email in error please notify
 >the system manager.
 >
 >This footnote also confirms that this email message has been swept by
 >MIMEsweeper for the presence of computer viruses.
 >
 >www.mimesweeper.com
 >**********************************************************************



-- 
Until later: Geoffrey		esoteric@3times25.net

I didn't have to buy my radio from a specific company to listen
to FM, why doesn't that apply to the Internet (anymore...)?