Next Page >>
Windows Media player
ZDI-07-046: Microsoft Windows Media Player Skin Parsing Size Mismatch
Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-046.html
August 14, 2007
-- CVE ID:
CVE-2007-3037
-- Affected Vendor:
Microsoft
ZDI-07-047: Microsoft Windows Media Player Malformed Skin Header Code
Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-047.html
August 14, 2007
-- CVE ID:
CVE-2007-3035
-- Affected Vendor:
Microsoft
VUPEN Security Research - Microsoft Windows Media Player DVR-MS Buffer
Overflow Vulnerability (MS11-092)
Website : http://www.vupen.com/english/research.php
Twitter : http://twitter.com/vupen
I. BACKGROUND
---------------------
> major browsers, The solution is to invoke the protocol handler from within an
> <iframe> in an ASX HtmlView element. There are probably other ways.
>
> http://en.wikipedia.org/wiki/Advanced_Stream_Redirector
>
> The version of Windows Media Player that is available by default in Windows XP
> is WMP9, which installs an NPAPI and ActiveX plugin to render windows media
> content. Later versions also can be used, with some minor complications.
>
> Thus, the attack will look like this:
>
major browsers, The solution is to invoke the protocol handler from within an
<iframe> in an ASX HtmlView element. There are probably other ways.
http://en.wikipedia.org/wiki/Advanced_Stream_Redirector
The version of Windows Media Player that is available by default in Windows XP
is WMP9, which installs an NPAPI and ActiveX plugin to render windows media
content. Later versions also can be used, with some minor complications.
Thus, the attack will look like this:
major browsers, The solution is to invoke the protocol handler from within an
<iframe> in an ASX HtmlView element. There are probably other ways.
http://en.wikipedia.org/wiki/Advanced_Stream_Redirector
The version of Windows Media Player that is available by default in Windows XP
is WMP9, which installs an NPAPI and ActiveX plugin to render windows media
content. Later versions also can be used, with some minor complications.
Thus, the attack will look like this:
----------------------------------------------------------------------------------------|
MS Windows Media Player * (.WAV) Remote Integrer Overflow |
|
Application: ALL Windows Media player |
|
Web Site: www.microsoft.com |
|
Platform: Windows ALL |
|
Bug: Remote Integrer Overflow |
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
> Host: www.footprints-inthe-sand.com
> Connection: Keep-Alive
>
> It could either be because of what Sean said with the Range request or the Partial GET Request in Firefox. But I think you are probably correct Rolphin, as I've had a lot of Windows Media Player crashes recently. Either way, Windows Media Player should probably not be incorporated into Firefox if it's going to crash. A more stable platform should be used (such as Silverlight)
You can choose a different player within the preferences of Firefox.
What is the problem again?
- --
--------------.
Brief History \
----------------`------------------------------------------------.
A division by Zero lead to a denial of service on :
Microsoft Windows Media Player version 11 :
:
If you open a specially crafted .au file in windows Media player :
you will crash the player with the following error. :
:
Exception number: c0000094 (divide by zero) :
*** Windows Media Player Plugin: Local File Detection Vulnerability ***
A design flaw in Windows Media Player 11 allows a remote attacker to determine the presence of local files (programs, documents, etc.). I sent an e-mail to Microsoft (nearly a year ago) but they never responded…
Windows Media Player permits to open locally stored media-files. Opening non-supported files usually provokes an error message. By a simple HTTP-redirect, the error message can be circumvented. Local files can be opened. The file-opening-procedure can be controlled with the “Player.OpenStateChange Event”. If a file exists, event 8 (”MediaChanging”) is fired. This way, via JavaScript, a malicious web site could determine the presence of local (and remote) files.
Additional infos (in German): www.lrv.ch.vu
I’ve also set up a demo page at: http://lrv.bplaced.net/wmp/wmp.php
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Host: www.footprints-inthe-sand.com
Connection: Keep-Alive
It could either be because of what Sean said with the Range request or the Partial GET Request in Firefox. But I think you are probably correct Rolphin, as I've had a lot of Windows Media Player crashes recently. Either way, Windows Media Player should probably not be incorporated into Firefox if it's going to crash. A more stable platform should be used (such as Silverlight)
ZDI-10-070: Microsoft Windows Media Player Codec Retrieval Dangling Pointer Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-070
April 13, 2010
-- CVE ID:
CVE-2010-0268
-- Affected Vendors:
Microsoft
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ZDI-12-034 : Microsoft Windows Media Player ASX Meta-File Parsing
Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-12-034
February 22, 2012
- -- CVE ID:
CVE-2012-0150
Err... Windows Media Player 11 update DOES come through on M$ Update. Of
course not via the Express mode, but via Custom mode. It is a
recommended update. When someone tells me "they have fully patched their
system" I am assuming that they have applied any and all patched
available from M$ without discrimination.
-----Original Message-----
From: pdp (architect) [mailto:pdp.gnucitizen@googlemail.com]
Sent: Tuesday, September 18, 2007 3:00 PM
software site: http://www.sopcast.org/
Through the SetExternalPlayer() method and the ExternalPlayer property
is possible to associate an arbitrary executable to the "external player"
button (for clearness see http://www.sopcast.com/docs/ where the player
control buttons are showed) which opens Windows Media Player by default.
When the user click this button, the executable is launched without prompts
Also this value is stored in config.xml, inside the sopcast local folder
for further use, ex. with the sopcast client application
Note: this control is safe for scripting and safe for initialization
-->
This method sends the 'commandString' to the Windows shell with optional
parameters in 'paramString'. For security reasons, this function is not
available when running in a web browser. If you set 'commandIsProgId' to
true, you can launch a utility by its 'ProgID', e.g. 'WMP.DVD' with
parameter 'play' would play a DVD in Windows Media Player.
In our tests, despite what is stated in the documentation, we found that
the function is actually available to both the Internet Explorer and
Firefox browser plug-ins. In the IE plug-in the user does get a warning
about the security implications of allowing such '.dxstudio' file to
>
> The OK GET Request (HTTP 200 Status Code) of the WAV file is
> listed below in RAW format:
> GET /fpaudio/footprints_waves.wav HTTP/1.1
> Accept: */*
> User-Agent: Windows-Media-Player/10.00.00.3802
> UA-CPU: x86
Oh ! It's seems that you've found the problem...
May be a bug in the Windows Media Player ?
Hello Team,
I have attached a file WMPExploit.pl which makes exploits the memory vulnerability in Windows Media player 11.0.5721.5145 which can be used to perform a Denial of Service attack :) and to cause a crash.
To run this file, compile the WMPExploit.pl using perl and then you may open the generated exploit .avi file using Windows Media player. If run properly, many a times, there is a crash every-time whenever the victim opens the folder in which the Exploit is placed.
Thanks and Regards,
^Xecuti0N3r
yes, of course :) but u are running Windows Media Player 11 which is
not the default one for Windows XP SP2. Moreover, this Media Player
edition is not slipped through any software update either. Therefore,
if you are not a Media Player fan, you will never get this version on
a fully patched XP SP2 machine. I tend to use iTunes on XP SP2, so yes
I am vulnerable.
On 9/18/07, Memisyazici, Aras <arasm@vt.edu> wrote:
> Hi pdp!
>
ZDI-09-069: Microsoft Windows Media Player Audio Voice Sample Rate Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-069
October 13, 2009
-- CVE ID:
CVE-2009-0555
-- Affected Vendors:
Microsoft
There is a vulnerability in Windows Media Audio Voice decoder
distributed with Windows Media Player that allows remote code
execution by opening a specially crafted web page.
###################
#The vulnerability#
###################
The cause of the vulnerability is a bound checking error in the code
used to decompress Windows Media Audio Voice compressed audio files
-------------------------------------------------
MS Patch - MS08-053 Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
Analysis - SMA does not have this component. Patch will not run successfully.
Action - Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-054 Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
Analysis - SMA does not have this component. Patch will not run successfully.
Action - Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-055 Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)
Analysis - SMA does not have this component. Patch will not run successfully.
VI. VENDOR RESPONSE
Microsoft has released a patch which addresses this issue. This patch
mitigates the vulnerability by blocking the Indeo codec from being
launched in Internet Explorer or Windows Media player, and by removing
the ability to load this codec from Internet zone by any other
applications. For more information, consult its advisory at the
following URL:
http://www.microsoft.com/technet/security/advisory/954157.mspx
now let's go a bit ahead :
http://dams083.free.fr/tmp/putty.exe?1.cda
wow my .exe is downloaded directly and located in temporary files ( and
"""opened""" by windows media player).
works with theses extension :
.log
Microsoft Windows XP SP3
Microsoft Windows 2003 SP2
-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Microsoft Windows Media Player. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.
The specific flaw exists within the Intel Indeo41 codec which is
accessed by various applications through the Video Compression Manager.
but what about if we do :
http://dams083.free.fr/tmp/putty.exe?1.txt
... the .exe is showed.
now let's go a bit ahead :
http://dams083.free.fr/tmp/putty.exe?1.cda
wow my .exe is downloaded directly and located in temporary files ( and """opened""" by windows media player).
works with theses extension :
.log
.dif
.sol
.htt
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00")
print "[x] Windows Media Player 11 DoS by Adonis a.K.a NtWaK0 and Abed aka Nophie."
try:
f = open("test.au",'w')
except IOError, e:
print "Unable to open file ", e
but what about if we do :
http://dams083.free.fr/tmp/putty.exe?1.txt
... the .exe is showed.
now let's go a bit ahead :
http://dams083.free.fr/tmp/putty.exe?1.cda
wow my .exe is downloaded directly and located in temporary files ( and """opened""" by windows media player).
works with theses extension :
.log
.dif
.sol
.htt
Microsoft Windows XP SP3
Microsoft Windows 2003 SP2
-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of Microsoft Windows Media Player. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.
The specific flaw exists within the Intel Indeo41 codec which is
accessed by various applications through the Video Compression Manager.
http://www.gnucitizen.org/blog/backdooring-windows-media-files
It is very easy to put some HTML inside files supported by Window
Media Player. The interesting thing is that these HTML pages run in
less restrictive IE environment. I found that a fully patched windows
XP SP2 with IE6 or IE7 and Windows Media Player 9 (default) will open
any page of your choice in IE even if your default browser is Firefox,
Opera or anything else you have in place. It means that even if you
are running Firefox and you think that you are secure, by simply
opening a media file, you expose yourself to all IE vulnerabilities
there might be. Plus, attackers can perform very very interesting
Next Page>>
|
