Windows Media Player executes WMF content in .MP3 files.

[David Korn <dkorn () pixelpower com>]

  I don't know if this is a known vulnerability or not, but it just
happened to a usenet acquaintance of mine:

[ From Message-ID: <MPG.16d20065551d97599897f5 () netnews attbi com>,
available at http://howardk.moonfall.com/msgid.cgi?ID=101419648800 ]

---begin quote---
My ex sent me an mp3 she'd dloaded on Gnotella:

"lifehouse - hanging by a moment - rare version.mp3"
 
When this file is opened [only works with MS Media player] a *porno* vid 
starts playing, and triggers a MASSIVE amount of pop-up ads. I don't use 
media player as my default, has this been going on all the time? and if 
so does anyone know how they do it?
---end quote---

  Inspection of the file in a hex editor revealed:

[ From Message-ID: <Jgua8.2390$5o.1006831 () newsr2 u-net net>,
available at http://howardk.moonfall.com/msgid.cgi?ID=101419654600 ]

---begin quote---
Hmm.  Here's the file beginning, in hex:

0000: 30 26 b2 75 8e 66 cf 11......

  Now, according to http://home.swipnet.se/grd/mp3info/mp3doc.html,

mp3 frame headers begin with 12 1 bits, so there should be a FF byte
followed by a byte beginning with E or F, so that's not an mp3 frame header.
The first mp3 frame header appears to start at offset 0x0829 where there's
an FF F7 sequence...

  Nor is it a vbr header, nor an ID3 tag, since it doesn't have any readable
ascii words there.

  However, looked at as unicode, I see a lot of stuff like.....

GirlsOntheStreetThisIsRealAskedToHaveSexForMone
WMFSDKVersion 8.00.00.4477
WMFSDKNeeded 0.0.0.0000
URL     http://www.entirelynude.com/bangbus.htm

  So I think we have our answer.  It's a .wmf file with a fake extension,
and stupid old windoze goes and opens it as the type detected from the
contents rather than the type detected from the extension.  This is the same
kind of vulnerability that lets a webserver send an .exe to your browser
with a .wav file-extension in the mime headers and have it auto-run, and
represents a new potential for social-engineering of windoze users.

---end quote---

  The file did indeed have a .mp3 extension; no double-extension trick
was used.

  The WMP version in question is 8.00.00.4477; I haven't tried it myself
to see if it works nor tested older versions.  I thought this might be
a reasonable place to ask if this problem is already widely known ?


     DaveK
-- 
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************